Progress: Procedure completed
Role | Committee | Rapporteur | Shadows |
---|---|---|---|
Lead | ITRE | DANTI Nicola ( Renew) | VIRKKUNEN Henna ( EPP), COVASSI Beatrice ( S&D), CORRAO Ignazio ( Greens/EFA), TOŠENOVSKÝ Evžen ( ECR), GAZZINI Matteo ( ID) |
Committee Opinion | IMCO | Marcel KOLAJA ( Verts/ALE), Adriana MALDONADO LÓPEZ ( S&D) | |
Committee Opinion | LIBE |
Lead committee dossier:
Legal Basis:
RoP 57_o, TFEU 114
Legal Basis:
RoP 57_o, TFEU 114Subjects
- 2.10.03 Standardisation, EC/EU standards and trade mark, certification, compliance
- 3.30.06 Information and communication technologies, digital technologies
- 3.30.07 Cybersecurity, cyberspace policy
- 3.30.25 International information networks and society, internet
- 4.60.08 Safety of products and services, product liability
- 6.20.02 Export/import control, trade defence, trade barriers
Events
PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.
LEGISLATIVE ACT: Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
CONTENT: the regulation establishes:
- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;
- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;
- rules on market surveillance and enforcement of the above-mentioned rules and requirements.
Scope
The regulation will apply to all products that are connected either directly or indirectly to another device or to a network . Consumer products with digital elements categorised as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure.
This includes, in particular: (i) identity management systems and privileged access management software and hardware, including authentication and access control readers and biometric readers; (ii) password managers; (iii) software that searches for, removes or quarantines malicious software; (iv) products with digital elements with virtual private network (VPN) functions; (v) routers, modems for connecting to the internet; (vi) smart home general purpose virtual assistants; (vii) smart home products with security features, including smart door locks, security cameras, baby monitors and alarm systems; (viii) connected toys; or (ix) personal wearable products. Exceptions are provided for products for which cybersecurity requirements are already set out in existing EU rules, such as medical devices, aeronautical products and cars.
Stakeholder consultation
When preparing measures for the implementation of this regulation, the Commission will consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
Essential requirements
Manufacturers will ensure that all products with digital elements are designed and developed in accordance with the essential cybersecurity requirements set out in the Regulation. They will also carry out a cybersecurity risk assessment of a product with digital elements and take the results of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements, with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including on the health and safety of users.
The cybersecurity risk assessment will be documented and updated during a support period . When placing a product with digital elements on the market, the manufacturer will ensure that vulnerabilities in that product are managed effectively and in accordance with the essential requirements. When identifying a vulnerability in a component, including an open-source software component, that is integrated into the product with digital elements, the manufacturer will report the vulnerability to the person or entity that maintains the component, and address and remediate the vulnerability.
Manufacturers will: (i) systematically document, in a manner that is proportionate to the nature and the cybersecurity risks; (ii) ensure that each security update, which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period; (iii) set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element; (iv) ensure that products with digital elements are accompanied by the information and instructions for the user.
Reporting obligations of manufacturers
A manufacturer will notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA.
The manufacturer will also submit: (i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. To simplify the reporting obligations of manufacturers, a single reporting platform will be established by ENISA.
For example, software and hardware products will bear the CE marking to indicate that they comply with the regulation's requirements. The CE marking must be affixed in a visible, legible and indelible manner to the product containing digital elements.
The new law will allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features.
ENTRY INTO FORCE: 10.12.2024.
APPLICATION: from 11.12.2027.
Final act
The European Parliament adopted by 517 votes to 12, with 78 abstentions, legislative resolution on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
The European Parliament's position adopted at first reading under the ordinary legislative procedure amends the proposal as follows:
Important products with digital elements (Annex III)
Certain categories of products with digital elements should be subject to stricter conformity assessment procedures . Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to smart home products with security functionalities, such as smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology.
The Commission is empowered to adopt delegated acts to amend Annex III of the Regulation by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list.
Critical products with digital elements (Annex IV)
The categories of products with digital elements referred to in the Regulation have a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation.
The Commission is empowered to adopt delegated acts to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme, to demonstrate conformity with the essential requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted and is available to manufacturers.
Stakeholder consultation
When preparing measures for the implementation of this Regulation, the Commission should consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level.
In order to respond to the needs of professionals, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, should promote measures and strategies aiming to develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies.
Obligations of manufacturers
Manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements. The cybersecurity risk assessment should be documented and updated as appropriate during a support period .
From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements should immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
Manufacturers should, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability.
Manufacturers should:
- determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements;
- ensure that each security update , which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period;
- set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element.
Reporting obligations of manufacturers
A manufacturer should notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator and to ENISA. The manufacturer should submit:
(i) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; (ii) a vulnerability notification , without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability. A manufacturer should notify any severe incident having an impact on the security of the product with digital elements.
Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. In order to simplify the reporting obligations of manufacturers, a single reporting platform should be established by ENISA.
Text adopted by Parliament, 1st reading/single reading
The Committee on Industry, Research and Energy adopted the report by Nicola DANTI (Renew, IT) on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Security updates
The amended text stated that manufacturers should ensure, where technically feasible, that products with digital elements clearly differentiate between security and functionality updates. Security updates, designed to decrease the level of risk or to remedy potential vulnerabilities, should be installed automatically , in particular in the case of consumer products.
Enhancing skills in a cyber resilient digital environment
Members stressed the importance of professional skills in the cybersecurity field, proposing education and training programmes, collaboration initiatives, and strategies for enhancing workforce mobility.
Point of single contact for users
In order to facilitate reporting on the security of products , manufacturers should designate a point of single contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing users of the product to choose the means of communication, which should not solely rely on automated tools.
Manufacturers should make public the information necessary for the end users to easily identify and communicate with their points of single contact.
Guidelines
The amended text included provisions for the Commission to issue guidelines to create clarity, certainty for, and consistency among the practices of economic operators. The Commission should focus on how to facilitate compliance by microenterprises, small enterprises and medium-sized enterprises.
Conformity assessment procedures for products with digital elements
Harmonised standards, common specifications or European cybersecurity certification schemes should be in place for six months before the conformity assessment procedure applies.
Mutual recognition agreements (MRAs)
To promote international trade, the Commission should endeavour to conclude Mutual Recognition Agreements (MRAs) with third countries. The Union should establish MRAs only with third countries that are on a comparable level of technical development and have a
compatible approach concerning conformity assessment. The MRAs should ensure the same level of protection as that provided for by this Regulation.
Procedure at EU level concerning products with digital elements presenting a significant cybersecurity risk
Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, Members considered that it should inform the relevant market surveillance authorities and issue targeted recommendations to economic operators aimed at ensuring that appropriate corrective actions are put in place.
Revenues generated from penalties
The revenues generated from the payments of penalties should be used to strengthen the level of cybersecurity within the Union, including by developing capacity and skills related to cybersecurity, improving economic operators' cyber resilience, in particular of microenterprises and of small and medium-sized enterprises and more in general fostering public awareness of cyber security issues.
Evaluation and review
Every year when presenting the Draft Budget for the following year, the Commission should submit a detailed assessment of ENISA's tasks under this Regulation as set out in Annex VIa and other relevant Union law and shall detail the financial and human resources needed to fulfil those tasks.
Committee report tabled for plenary, 1st reading/single reading
PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.
While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.
CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.
Subject matter
Based on the new legislative framework for product legislation in the EU, the proposal establishes:
- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;
- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;
- rules on market surveillance and enforcement of the above-mentioned rules and requirements.
Scope
The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .
Objectives
It has two main objectives aiming to ensure the proper functioning of the internal market:
- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;
- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Obligations for manufacturers, importers and distributors
Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.
The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.
The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.
Notification of conformity assessment bodies
Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.
Conformity assessment process
Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.
Market surveillance
Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.
In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.
Application
To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.
Legislative proposal
PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.
While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.
CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.
Subject matter
Based on the new legislative framework for product legislation in the EU, the proposal establishes:
- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;
- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;
- rules on market surveillance and enforcement of the above-mentioned rules and requirements.
Scope
The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .
Objectives
It has two main objectives aiming to ensure the proper functioning of the internal market:
- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;
- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Obligations for manufacturers, importers and distributors
Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.
The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.
The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.
Notification of conformity assessment bodies
Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.
Conformity assessment process
Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.
Market surveillance
Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.
In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.
Application
To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.
Legislative proposal
Documents
- Final act published in Official Journal: Regulation 2024/2847
- Final act published in Official Journal: Corrigendum to final act 32024R2847R(01)
- Draft final act: 00100/2024/LEX
- Commission response to text adopted in plenary: SP(2024)350
- Decision by Parliament, 1st reading: T9-0130/2024
- Results of vote in Parliament: Results of vote in Parliament
- Debate in Parliament: Go to the page
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: PE758.004
- Approval in committee of the text agreed at 1st reading interinstitutional negotiations: GEDA/A/(2024)000218
- Text agreed during interinstitutional negotiations: PE758.004
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)000218
- Committee report tabled for plenary, 1st reading: A9-0253/2023
- Committee opinion: PE742.490
- Contribution: COM(2022)0454
- Amendments tabled in committee: PE746.921
- Amendments tabled in committee: PE746.920
- Amendments tabled in committee: PE746.662
- Committee draft report: PE745.538
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- ESC: CES4103/2022
- Contribution: COM(2022)0454
- EDPS: OJ C 452 29.11.2022, p. 0023
- EDPS: N9-0088/2022
- Document attached to the procedure: Go to the pageEur-Lex
- Document attached to the procedure: SEC(2022)0321
- Document attached to the procedure: Go to the pageEur-Lex
- Document attached to the procedure: SWD(2022)0283
- Legislative proposal: COM(2022)0454
- Legislative proposal: Go to the pageEur-Lex
- Document attached to the procedure: SWD(2022)0282
- Legislative proposal published: COM(2022)0454
- Legislative proposal published: Go to the page Eur-Lex
- Committee draft report: PE745.538
- Amendments tabled in committee: PE746.662
- Amendments tabled in committee: PE746.921
- Amendments tabled in committee: PE746.920
- Committee opinion: PE742.490
- Text agreed during interinstitutional negotiations: PE758.004
- Coreper letter confirming interinstitutional agreement: GEDA/A/(2024)000218
- Draft final act: 00100/2024/LEX
- Document attached to the procedure: Go to the pageEur-Lex SEC(2022)0321
- Document attached to the procedure: Go to the pageEur-Lex SWD(2022)0283
- Legislative proposal: COM(2022)0454 Go to the pageEur-Lex
- Document attached to the procedure: SWD(2022)0282
- Commission response to text adopted in plenary: SP(2024)350
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- Contribution: COM(2022)0454
- EDPS: OJ C 452 29.11.2022, p. 0023 N9-0088/2022
- ESC: CES4103/2022
Activities
Votes
A9-0253/2023 – Nicola Danti – Provisional agreement – Am 2 #
Amendments | Dossier |
714 |
2022/0272(COD)
2023/04/28
IMCO
291 amendments...
Amendment 100 #
Proposal for a regulation Recital 35 (35) Manufacturers should also report to
Amendment 101 #
Proposal for a regulation Recital 38 (38) In order to facilitate assessment of conformity with the requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements which are in conformity with harmonised standards, which translate the essential requirements
Amendment 102 #
Proposal for a regulation Recital 45 (45) As a general rule the requirements for the conformity assessment of products with digital elements should be risk-based and to that regard in many cases the assessment could be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third-party. If the product is classified as a critical product of class I, additional assurance is required to demonstrate conformity with the essential requirements set out in this Regulation. The manufacturer should apply harmonised standards, common specifications or cybersecurity certification schemes under Regulation (EU) 2019/881 which have been identified by the Commission in an implementing act, if it wants to carry out the conformity assessment under its own responsibility (module A). If the manufacturer does not apply such harmonised standards, common specifications or cybersecurity certification schemes, the manufacturer should undergo conformity assessment involving a third party. Taking into account the administrative burden on manufacturers and the fact that cybersecurity plays an important role in the design and development phase of tangible and intangible products with digital elements, conformity assessment procedures respectively based on modules B+C or module H of Decision 768/2008/EC have been chosen as most appropriate for assessing the compliance of critical products with digital elements in a proportionate and effective manner. The manufacturer that carries out the third- party conformity assessment can choose the procedure that suits best its design and production process. Given the even greater cybersecurity risk linked with the use of products classified as critical class II products, the conformity assessment should
Amendment 103 #
Proposal for a regulation Recital 45 (45) As a general rule the conformity assessment of products with digital elements should be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third-party. If the product is classified as a critical product of class I, additional assurance is required to demonstrate conformity with the essential requirements set out in this Regulation. The manufacturer should apply harmonised standards
Amendment 104 #
Proposal for a regulation Recital 56 a (new) (56 a) In order for SMEs to be able to cope with the new obligations imposed by this Regulation, the Commission should provide them with relevant guidelines.
Amendment 105 #
Proposal for a regulation Recital 62 (62) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty
Amendment 106 #
Proposal for a regulation Recital 63 (63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to: specify the format and elements of the software bill of materials, specify further the type of information, format and procedure of the notifications on actively exploited vulnerabilities and incidents submitted to ENISA by the manufacturers, based on industry best practices, specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential requirements or parts therefore as set out in Annex I of this Regulation, adopt common specifications in respect of the essential requirements set out in Annex I, lay down technical specifications for pictograms or any other marks related to the security of the products with digital elements, and mechanisms to promote their use, decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council34 . __________________ 34 Regulation (EU) No 182/2011 of the
Amendment 107 #
Proposal for a regulation Recital 69 (69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [12
Amendment 108 #
Proposal for a regulation Recital 69 (69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [
Amendment 109 #
Proposal for a regulation Recital 71 a (new) (71 a) The Commission shall present easy-to-understand guidelines for businesses with the requirements of this Regulation. When developing such guidelines, the Commission should take into consideration needs of SMEs so as to keep administrative and financial burdens to a minimum while facilitating their compliance with this Regulation. The Commission should consult relevant stakeholders, with expertise in the field of cybersecurity.
Amendment 110 #
Proposal for a regulation Recital 71 b (new) (71 b) Where third party assessment is mandated, such assessment should take into account: the similarity of products with digital elements by accepting one product as representative of a family or category of products for assessment purposes due to them having equitable hardware and/or software; reciprocity to eliminate duplication by accepting of other entities’ assessments or certification (e.g. recognition of assessments from qualified bodies outside the Union; reuse of certifications); deltas in order to only focus on additional requirements not covered by other entities’ assessments and not reassessing the whole set; attestation in order to accept assessments from the manufacturer for certain aspects of the wider third-party assessment; and maintenance to allow certain changes or software updates to the product without requiring reassessment. In particular, software updates that do not weaken the security posture of the product should not be considered as justifiable to require reassessment.
Amendment 111 #
Proposal for a regulation Article 1 – paragraph 1 – introductory part The objective of this Regulation is to provide for a high level of consumer protection by protecting the confidentiality, integrity and availability of information in products with digital elements. This Regulation lays down:
Amendment 112 #
Proposal for a regulation Article 1 – paragraph 1 – point d (d) rules on market monitoring, market surveillance and
Amendment 113 #
Proposal for a regulation Article 2 – paragraph 1 1. This Regulation applies to products with digital elements placed on the market whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a
Amendment 114 #
Proposal for a regulation Article 2 – paragraph 1 1. This Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to an external device or network.
Amendment 115 #
Proposal for a regulation Article 2 – paragraph 2 – point c a (new) (c a) Regulation (EU) 2022/2554;
Amendment 116 #
Proposal for a regulation Article 2 – paragraph 2 – point c b (new) (c b) Directive (EU) 2022/2555.
Amendment 117 #
Proposal for a regulation Article 2 – paragraph 3 a (new) 3 a. This Regulation shall not apply to software provided under free and open- source licences, including its source code and modified versions, except when such software is provided as a paid or monetised product. The compliance of free and open-source components of products shall be ensured by the manufacturer of the product.
Amendment 118 #
Proposal for a regulation Article 2 – paragraph 4 – subparagraph 2 Amendment 119 #
Proposal for a regulation Article 2 – paragraph 5 – subparagraph 1 (new) 6. This Regulation does not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 120 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5 a. This Regulation does not apply to freeware and open-source software unless: (a) the developer or a third-party has agreed to the provision of technical support services, either with a user, or with a manufacturer who wishes to use the software as a component in their own products. (b) the software is provided in the course of commercial activity, either by: (i) charging a price for a product; (ii) providing a software platform reliant on other services which the manufacturer monetises; (iii) using personal data generated by the software for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
Amendment 121 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5 a. This Regulation does not apply to any supply of a product with digital elements for distribution and use on the Union market where such supply, distribution, and use exclusively occurs within the same group of companies within the meaning of Article 2(13) of Regulation (EU) 2015/848.
Amendment 122 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5 a. This Regulation shall not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 123 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘product with digital elements’ means any software or hardware product
Amendment 124 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘product with digital elements’ means any software or hardware product
Amendment 125 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 a (new) (1 a) 'partly completed products with digital elements’ means an assembly which cannot in itself function so as to perform a specific application and which is only intended to be incorporated into or assembled with a product with digital elements or other partly completed product with digital elements, thereby forming a product with digital elements;
Amendment 126 #
Proposal for a regulation Article 3 – paragraph 1 – point 2 Amendment 127 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 a (new) (4 a) ‘consumer’ means any natural person who, under the circumstances regulated by this Regulation, is acting for purposes which are outside their trade, business, craft or profession;
Amendment 128 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘software’ means the part of an electronic information system which consists of computer code, with exception of software relating to the Internet websites;
Amendment 129 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 a (new) (6 a) 'freeware' means proprietary software that is provided at no cost to the user, but cannot be distributed, studied, changed, improved, integrated into other products or provided as a service without the consent of the author;
Amendment 130 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 b (new) (6 b) ‘ open-source software’ means software distributed under a licence which allow users to run, copy, distribute, study, change and improve it freely, as well as to integrate it as a component in other products, provide it as a service, or provide commercial support for it;
Amendment 131 #
Proposal for a regulation Article 3 – paragraph 1 – point 11 (11) ‘physical connection’ means any connection between electronic information systems or components implemented using physical means, including through electrical or mechanical interfaces
Amendment 132 #
Proposal for a regulation Article 3 – paragraph 1 – point 18 (18) ‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or
Amendment 133 #
Proposal for a regulation Article 3 – paragraph 1 – point 23 (23) ‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity,
Amendment 134 #
Proposal for a regulation Article 3 – paragraph 1 – point 23 a (new) (23 a) ‘recall’ means recall as defined in Article 3, point (22) of Regulation (EU) 2019/1020;
Amendment 135 #
Proposal for a regulation Article 3 – paragraph 1 – point 26 Amendment 136 #
Proposal for a regulation Article 3 – paragraph 1 – point 31 (31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which
Amendment 137 #
Proposal for a regulation Article 3 – paragraph 1 – point 31 (31) ‘substantial modification’ means a change to the product with digital elements, excluding security and maintenance updates, following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed;
Amendment 138 #
Proposal for a regulation Article 3 – paragraph 1 – point 39 (39) ‘actively exploited vulnerability’ means a patched vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner;
Amendment 139 #
Proposal for a regulation Article 3 – paragraph 1 – point 40 a (new) (40 a) 'partly completed products with digital elements' means a tangible item which is unable to function independently and which is only produced with the aim of be incorporated into or assembled with a product with digital elements or other partly completed product with digital elements, and which can only be effectively assessed for its conformity taking into account how it is incorporated into an intended final product with digital elements;
Amendment 140 #
Proposal for a regulation Article 3 – paragraph 1 – point 40 a (new) (40 a) ‘life-cycle’ means the period from the moment that product covered by this Regulation is placed on the market or put into service until the moment that it is discarded, including the effective time when it is capable of being used and the phases of transport, assembly, dismantling, disabling, scrapping or other physical or digital modifications foreseen by the manufacturer;
Amendment 141 #
Proposal for a regulation Article 4 – paragraph 1 1. Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements or partly completed products with digital elements which comply with this Regulation.
Amendment 142 #
Proposal for a regulation Article 4 – paragraph 1 1. Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements or partly completed products with digital elements which comply with this Regulation.
Amendment 143 #
Proposal for a regulation Article 4 – paragraph 2 2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements which does not comply with this Regulation provided that the product is used exclusively for exhibition purposes within the course of such event and that a visible sign clearly indicates that it does not comply with this Regulation.
Amendment 144 #
Proposal for a regulation Article 4 – paragraph 2 2.
Amendment 145 #
Proposal for a regulation Article 4 – paragraph 2 2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements or a partly completed product with digital elements which does not comply with this Regulation.
Amendment 146 #
Proposal for a regulation Article 4 – paragraph 2 2. At trade fairs, exhibitions and demonstrations or similar events, Member States shall not prevent the presentation and use of a product with digital elements or partly completed products with digital elements which do
Amendment 147 #
Proposal for a regulation Article 4 – paragraph 3 Amendment 148 #
Proposal for a regulation Article 4 – paragraph 3 3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available
Amendment 149 #
Proposal for a regulation Article 5 – paragraph 1 – point 1 (1) they meet the essential requirements set out in Section 1 of Annex I, under the condition that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and
Amendment 150 #
Proposal for a regulation Article 5 – paragraph 1 – point 1 (1) they meet the essential requirements set out in Section 1 of Annex I, under the condition that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen,
Amendment 151 #
Proposal for a regulation Article 6 – paragraph 2 – introductory part 2. The Commission is empowered to adopt delegated acts in accordance with Article 50 to amend Annex III by including in the list of categories of critical products with digital elements a new category or withdrawing an existing one from that list 48 months after the start of application of this Regulation and every 5 years thereafter. When assessing the need to amend the list in Annex III, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements. In determining the level of cybersecurity risk, one or several of the following criteria shall be taken into account:
Amendment 152 #
Proposal for a regulation Article 6 – paragraph 2 – point b (b) the intended use in
Amendment 153 #
Proposal for a regulation Article 6 – paragraph 2 – point c (c) the intended use and scale of performing critical or sensitive functions, such as the volume of processing of personal data
Amendment 154 #
Proposal for a regulation Article 6 – paragraph 3 Amendment 155 #
Proposal for a regulation Article 6 – paragraph 3 3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by
Amendment 156 #
Proposal for a regulation Article 6 – paragraph 3 3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by
Amendment 157 #
Proposal for a regulation Article 6 – paragraph 4 4. Critical products with digital elements shall be subject to the conformity assessment procedures referred to in Article 24(2) and (3). By exception, small and micro enterprises can use the procedure referred to in Article 24(2).
Amendment 158 #
Proposal for a regulation Article 6 – paragraph 4 4. Critical products with digital elements shall be subject to the conformity assessment procedures referred to in Article 24
Amendment 159 #
Proposal for a regulation Article 6 – paragraph 5 Amendment 160 #
Proposal for a regulation Article 6 – paragraph 5 – introductory part 5. The Commission is empowered to
Amendment 161 #
Proposal for a regulation Article 7 – paragraph 1 Amendment 162 #
Proposal for a regulation Article 7 – paragraph 1 Amendment 163 #
Proposal for a regulation Article 8 – paragraph 1 1. Products with digital elements or partly completed products with digital elements classified as high-risk AI systems in accordance with Article [Article 6] of Regulation [the AI Regulation] which fall within the scope of this Regulation, and fulfil the essential requirements set out in Section 1 of Annex I of this Regulation, and where the processes put in place by the manufacturer are compliant with the essential requirements set out in Section 2
Amendment 164 #
Proposal for a regulation Article 8 – paragraph 2 Amendment 165 #
Proposal for a regulation Article 8 – paragraph 2 2. For the products and cybersecurity requirements referred to in paragraph 1, the relevant conformity assessment procedure as required by
Amendment 166 #
Proposal for a regulation Article 8 – paragraph 3 Amendment 167 #
Proposal for a regulation Article 8 – paragraph 3 Amendment 168 #
Proposal for a regulation Article 9 – paragraph 1 Amendment 169 #
Proposal for a regulation Article 9 – paragraph 1 Machinery products under the scope of Regulation [Machinery Regulation proposal] which are products with digital elements or partly completed products with digital elements within the meaning of this Regulation and for which an EU declaration of conformity has been issued on the basis of this Regulation shall be deemed to be in conformity with the essential health and safety requirements set out in Annex [Annex III, Sections 1.1.9 and 1.2.1] to Regulation [Machinery Regulation proposal], as regards protection against corruption and safety and reliability of control systems, and in so far as the achievement of the level of protection required by those requirements is demonstrated in the EU declaration of conformity issued under this Regulation.
Amendment 170 #
Proposal for a regulation Article 9 – paragraph 1 a (new) By derogation from paragraph 1, products with digital elements which are also machinery products that fall within the categories listed in Annex I of Regulation [Machinery Regulation proposal], shall be subject to the specific conformity assessment procedures as required by Article 21(2) and (3) of Regulation [Machinery Regulation proposal].
Amendment 171 #
Proposal for a regulation Article 10 – paragraph -1 (new) -1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 18 months from placing a software on the market.
Amendment 172 #
Proposal for a regulation Article 10 – paragraph 1 1. When placing a product with digital elements on the market, manufacturers shall take reasonable measures to ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.
Amendment 173 #
Proposal for a regulation Article 10 – paragraph 2 2. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a data connection to an external device or network of a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.
Amendment 174 #
Proposal for a regulation Article 10 – paragraph 3 3. When placing a product with digital elements on the market, the manufacturer shall include a cybersecurity risk assessment in the technical documentation as set out in Article 23 and Annex V in a manner suitable for distribution of that component and which does not limit the options for further making available of the component. For products with digital elements referred to in Articles 8 and 24(4) that are also subject
Amendment 175 #
Proposal for a regulation Article 10 – paragraph 4 4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements.
Amendment 176 #
Proposal for a regulation Article 10 – paragraph 4 4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements. They shall take reasonable measures to ensure that such components do not compromise the security of the product with digital elements.
Amendment 177 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market,
Amendment 178 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I. When the expected product lifetime is shorter than 5 years, and the manufacturer is unable to continue to ensure that vulnerabilities of the product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I, it shall publish the source code under free and open source license.
Amendment 179 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market, and for the expected product lifetime
Amendment 180 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market, and for the expected product lifetime at the time of placing that product on the market or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2
Amendment 181 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market
Amendment 182 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 a (new) Manufacturers shall set out the expected product lifetime considering the reasonable expectations of consumers regarding the functionality and intended purpose of the product, and the provision of security and functionality updates.
Amendment 183 #
Proposal for a regulation Article 10 – paragraph 8 8. Manufacturers shall keep the technical documentation and the EU declaration of conformity,
Amendment 184 #
Proposal for a regulation Article 10 – paragraph 9 9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified. Where new knowledge, techniques, or standards become available, which were not available at the time of design of a serial product, the manufacturer may consider implementing such improvements periodically for future product generations. The manufacturer shall take into account the associated costs and efforts, including the efforts required for development, testing, validation, and approval process time.
Amendment 185 #
Proposal for a regulation Article 10 – paragraph 9 a (new) 9 a. Manufacturers shall publicly communicate and advertise the expected product lifetime of their products, in a clear and understandable manner, and in particular the minimal duration of the provision of security updates.
Amendment 186 #
Proposal for a regulation Article 10 – paragraph 10 a (new) 10 a. Manufacturers shall indicate the expected product lifetime in a clear and understandable manner. Where applicable, manufacturers shall also specify the expected product lifetime on the packaging of the product with digital elements.
Amendment 187 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for the expected product lifetime
Amendment 188 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for the expected product lifetime or for a period of five years after the placing on the market of a product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer
Amendment 189 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for
Amendment 190 #
Proposal for a regulation Article 10 – paragraph 15 15. The Commission may, by means of
Amendment 191 #
Proposal for a regulation Article 10 – paragraph 15 a (new) 15 a. Manufacturers shall make publicly available communication channels such as a telephone number, electronic address or dedicated section of their website, taking into account accessibility needs for persons with disabilities, enabling users of products with digital elements to submit complaints electronically and free of charge.
Amendment 192 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product with digital elements. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and immediately inform the market surveillance authority about the notified vulnerability. Where a notified vulnerability has no corrective or mitigating measures available, ENISA shall ensure that information about the notified vulnerability is shared in line with strict security protocols and on a need-to-know-basis.
Amendment 193 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and
Amendment 194 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall,
Amendment 195 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product with digital elements. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken and the recommended risk mitigation measures. ENISA shall, without undue delay, unless for justified cybersecurity risk-related grounds, forward the notification to the CSIRT designated for the purposes of coordinated vulnerability disclosure in accordance with Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] of Member States concerned upon receipt and inform the market surveillance authority about the
Amendment 196 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, by means of an early warning, notify
Amendment 197 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall, without undue delay and
Amendment 198 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall, without undue delay
Amendment 199 #
Proposal for a regulation Article 11 – paragraph 3 3.
Amendment 200 #
Proposal for a regulation Article 11 – paragraph 3 3. ENISA shall submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established by Article [Article X] of Directive [Directive XXX/XXXX (NIS2)] information notified pursuant to paragraph
Amendment 201 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incident and
Amendment 202 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about
Amendment 203 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements
Amendment 204 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incident and, where necessary, about risk mitigation and any corrective measures that the user can deploy to mitigate the impact of the incident.
Amendment 205 #
Proposal for a regulation Article 11 – paragraph 5 5. The Commission, after consulting stakeholders and CSIRTs may, by means of implementing acts, specify further the type of information, format and procedure of the notifications submitted pursuant to paragraphs 1 and 2. Those implementing acts shall be based on European and international standards, such as ISO/IEC 29147 and adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 206 #
Proposal for a regulation Article 11 – paragraph 6 6. ENISA, on the basis of the notifications received pursuant to paragraphs 1 and 2, shall prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Article [Article X] of Directive [Directive XXX/XXXX (NIS2)]. The first such report shall be submitted within 24 months after the obligations laid down in paragraph
Amendment 207 #
Proposal for a regulation Article 11 – paragraph 6 6. ENISA, on the basis of the notifications received pursuant to paragraphs 1, 2 and
Amendment 208 #
Proposal for a regulation Article 11 – paragraph 7 7. Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability and the corrective or mitigating measure taken, to the person or entity maintaining the component. Such corrective or mitigating measures shall be accompanied by the relevant code and appropriate licenses that allow the deployment. This does not release the manufacturer from the obligation to maintain the compliance of the product with the requirements of this Regulation, nor does it create obligations for the developers of free and open source components that have no contractual relation to the said manufacturer.
Amendment 209 #
Proposal for a regulation Article 11 a (new) Article 11 a Single point of contact for users 1. Manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing recipients of the service to choose the means of communication, which shall not solely rely on automated tools. 2. In addition to the obligations provided under Directive 2000/31/EC, manufacturers shall make public the information necessary for the end users in order to easily identify and communicate with their single points of contact. That information shall be easily accessible and shall be kept up to date.
Amendment 210 #
Proposal for a regulation Article 13 – paragraph 2 – point c a (new) (c a) all the documents proving the fulfilment of the requirements set in this article have been received from the manufacturer and are available for inspection.
Amendment 211 #
Proposal for a regulation Article 13 – paragraph 6 – subparagraph 1 Importers who know or have reason to believe that a product with digital
Amendment 212 #
Proposal for a regulation Article 14 – paragraph 2 – point b a (new) (b a) they have received from the importer all the information and documentation required by this regulation.
Amendment 213 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the
Amendment 214 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes it available on the market shall be considered a manufacturer for the purposes of this Regulation.
Amendment 215 #
Proposal for a regulation Article 17 – paragraph 1 – introductory part 1. Economic operators shall, on request
Amendment 216 #
Proposal for a regulation Article 18 – paragraph 1 a (new) 1 a. The Commission shall, as provided in Article 10(1) of Regulation (EU) 1025/2012, request one or more European standardisation organisations to draft harmonised standards for the requirements set out in Annex I.
Amendment 217 #
Proposal for a regulation Article 18 – paragraph 2 Amendment 218 #
Proposal for a regulation Article 18 – paragraph 4 Amendment 219 #
Proposal for a regulation Article 18 – paragraph 4 a (new) 4 a. In accordance with Article 10(1) of Regulation 1025/2012, when preparing the Standardisation Request for this Regulation, the Commission shall aim for maximum harmonisation with existing or imminent international standards for cybersecurity. In the first three years following the date of application of this Regulation, the Commission is empowered to declare an existing international standard as meeting the requirements of this Regulation, without any European modifications, provided that adherence to such standards sufficiently enhances the security of products with digital elements, and provided that the standard is published as a separate version by one of the European Standardisation Organisations.
Amendment 220 #
Proposal for a regulation Article 19 Amendment 221 #
Proposal for a regulation Article 19 – paragraph 1 Amendment 222 #
Proposal for a regulation Article 20 – paragraph 2 2. The EU declaration of conformity shall have the model structure set out in Annex IV and shall contain the elements specified in the relevant conformity assessment procedures set out in Annex VI. Such a declaration shall be
Amendment 223 #
Proposal for a regulation Article 20 a (new) Article 20 a EU Declaration of Incorporation for partly completed products with digital elements 1. The EU declaration of incorporation shall be drawn up by manufacturers in accordance with Article 10(7) and state that the fulfilment of the relevant essential requirements set out in Annex I has been demonstrated. 2. The EU declaration of incorporation shall have the model structure set out in Annex IVa (new). Such a declaration shall be updated as appropriate. It shall be made available in the language or languages required by the Member State in which the partly completed product with digital elements is placed on the market or made available. 3. Where a partly completed product with digital elements is subject to more than one Union act requiring an EU declaration of incorporation, a single EU declaration of incorporation shall be drawn up in respect of all such Union acts. That declaration shall contain the identification of the Union acts concerned, including their publication references. 4. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by adding elements to the minimum content of the EU declaration of incorporation as set out in Annex IVa (new) to take account of technological developments.
Amendment 224 #
Proposal for a regulation Article 22 – paragraph 1 1. The CE marking shall be affixed visibly, legibly and indelibly to the product with digital elements. Where that is not possible or not warranted on account of the
Amendment 225 #
Proposal for a regulation Article 22 – paragraph 3 3. The CE marking shall be affixed before the product with digital elements is placed on the market. It may be followed by a pictogram or any other mark indicating to consumers a special risk or use set out in implementing acts referred to in paragraph 6.
Amendment 226 #
Proposal for a regulation Article 22 – paragraph 5 5. Member States shall build upon
Amendment 227 #
Proposal for a regulation Article 22 – paragraph 6 6. The Commission may, by means of
Amendment 228 #
Proposal for a regulation Article 22 – paragraph 6 a (new) 6 a. The Commission shall present easy-to-understand guidelines for businesses with the requirements of this Regulation. When developing such guidelines, the Commission should take into consideration needs of SMEs so as to keep administrative and financial burdens to a minimum while facilitating their compliance with this Regulation. The Commission should consult relevant stakeholders, with expertise in the field of cybersecurity.
Amendment 229 #
Proposal for a regulation Article 22 – paragraph 6 a (new) 6 a. A partly completed product with digital elements shall not be marked with the CE marking under this Regulation without prejudice of marking provisions resulting from other applicable Union legislation.
Amendment 230 #
Proposal for a regulation Article 23 – paragraph 2 2. The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, during the expected product lifetime or during a period of five years after the placing on the market of a product with digital elements, whichever is
Amendment 231 #
Proposal for a regulation Article 23 – paragraph 3 3. For products with digital elements
Amendment 232 #
Proposal for a regulation Article 23 – paragraph 5 Amendment 233 #
Proposal for a regulation Article 23 – paragraph 5 5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the technical documentation set out in Annex V to take account of technological developments, as well as developments encountered in the implementation process of this Regulation. The Commission shall strive to minimise the administrative burden for small and medium sized enterprises.
Amendment 234 #
Proposal for a regulation Article 24 – paragraph 1 – point c a (new) (c a) a European cybersecurity certification scheme adopted in accordance with Article 18(4) of Regulation (EU) 2019/881.
Amendment 235 #
Proposal for a regulation Article 24 – paragraph 2 – introductory part 2. Where, in assessing the compliance of the
Amendment 236 #
Proposal for a regulation Article 24 – paragraph 2 – point b a (new) (b a) where applicable, a European cybersecurity certification scheme at assurance level ‘substantial’ or ‘high’ pursuant to Regulation (EU) 2019/881.
Amendment 237 #
Proposal for a regulation Article 24 – paragraph 3 – introductory part 3. Where the product is a critical product with digital elements
Amendment 238 #
Proposal for a regulation Article 24 – paragraph 4 a (new) 4 a. For products to which Union harmonisation legislation based on the New Legislative Framework apply, the manufacturer shall follow the relevant conformity assessment as required under those legal acts. The requirements set out in Chapter 3 shall apply to those products.
Amendment 239 #
Proposal for a regulation Article 24 – paragraph 5 5. Notified bodies shall take into account the specific interests and needs of micro, small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs. The Commission shall take appropriate measures to ensure more accessible and affordable procedures, such as establishing a framework for providing appropriate financial support and guidance for the notified bodies.
Amendment 240 #
Proposal for a regulation Article 24 – paragraph 5 5. Notified bodies shall take into account the specific interests and needs of small and medium sized enterprises
Amendment 241 #
Proposal for a regulation Article 24 – paragraph 5 a (new) 5 a. For products with digital elements falling within the scope of this Regulation and which are placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to 101 of that Directive.
Amendment 242 #
Proposal for a regulation Article 24 a (new) Amendment 243 #
Proposal for a regulation Article 25 – paragraph 1 Member States shall notify the Commission and the other Member States of conformity assessment bodies authorised to carry out conformity assessments in accordance with this Regulation. Member States and the Commission shall put in place appropriate measures to ensure sufficient availability of skilled professionals, in order to minimise bottlenecks in the activities pursuant to articles 26 to 31.
Amendment 244 #
Proposal for a regulation Article 27 – paragraph 5 5. A notifying authority shall
Amendment 245 #
Proposal for a regulation Article 27 – paragraph 6 a (new) 6 a. A notifying authority shall be organised in such a way so that bureaucracy and fees are at an absolute minimum, especially for SMEs.
Amendment 246 #
Proposal for a regulation Article 29 – paragraph 10 10. The personnel of a conformity assessment body shall observe professional secrecy with regard to all information obtained in carrying out their tasks under Annex VI or any provision of national law giving effect to it, except in relation to the market surveillance authorities of the Member State in which its activities are carried out. Proprietary rights, trade secrets and other sensitive information shall be protected. The conformity assessment body shall have documented procedures ensuring compliance with this paragraph.
Amendment 247 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of SMEs in relation to fees and also respecting the confidentiality of trade secrets and proprietary information.
Amendment 248 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of
Amendment 249 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions in line with Article 37(2), in particular taking into account the interests of SMEs in relation to fees.
Amendment 250 #
Proposal for a regulation Article 36 – paragraph 3 3. The Commission shall ensure that all trade secrets and sensitive information obtained in the course of its investigations is treated confidentially.
Amendment 251 #
Proposal for a regulation Article 37 – paragraph 2 2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators, with special considerations for SMEs. Conformity assessment bodies shall perform their
Amendment 252 #
Proposal for a regulation Article 37 – paragraph 2 2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity and the risk exposure of the product type and technology in question and the mass or serial nature of the production process.
Amendment 253 #
Proposal for a regulation Article 39 – paragraph 1 The Commission shall provide for the organisation of exchange of experience between the Member States' national authorities responsible for notification
Amendment 254 #
Proposal for a regulation Article 40 – paragraph 1 1. The Commission shall ensure that appropriate coordination and cooperation between notified bodies are put in place in a way that reduces bureaucracy and fees, and properly operated in the form of a cross-sectoral group of notified bodies.
Amendment 255 #
Proposal for a regulation Article 40 – paragraph 2 2. Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives, in a way that reduces bureaucracy and fees.
Amendment 256 #
Proposal for a regulation Article 41 – paragraph 3 3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 11 of this Regulation, the designated market surveillance authorities shall effectively cooperate with ENISA. The market surveillance authorities may request ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation, including during investigations in accordance with Article 43.
Amendment 257 #
Proposal for a regulation Article 41 – paragraph 3 3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis.
Amendment 258 #
Proposal for a regulation Article 41 – paragraph 3 a (new) 3 a. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 11 of this Regulation, the designated market surveillance authorities shall cooperate with ENISA. The market surveillance authorities may request ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation. When conducting an investigation under Article 43, market surveillance authorities may request ENISA to provide non-binding evaluations of compliance of products with digital elements.
Amendment 259 #
Proposal for a regulation Article 41 – paragraph 7 7. The Commission shall facilitate the regular and structured exchange of experience between designated market surveillance authorities, including via a dedicated administrative cooperation group (ADCO) established under paragraph 11 of this Article.
Amendment 260 #
Proposal for a regulation Article 41 – paragraph 8 8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of the Commission. Market surveillance authorities shall be equipped to receive complaints by consumers affected by products with digital elements if they consider that the relevant products or the practices engaged infringe this Regulation, and shall facilitate the active participation of civil society in market surveillance activities, including scientific, research and consumer organisations, by establishing a clear and accessible mechanism to facilitate reporting of vulnerabilities, incidents, and cyber threats.
Amendment 261 #
Proposal for a regulation Article 41 – paragraph 11 11. A dedicated administrative cooperation group (ADCO) shall be established for the uniform application of this Regulation,
Amendment 262 #
Proposal for a regulation Article 41 – paragraph 11 a (new) 11 a. For products with digital elements falling within the scope of this Regulation, distributed, put into service or used by financial institutions regulated by relevant Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.
Amendment 263 #
Proposal for a regulation Article 41 – paragraph 11 a (new) 11 a. Market surveillance authorities shall facilitate the active participation of stakeholders in market surveillance activities, including scientific, research and consumer organisations, by establishing a clear and accessible mechanism to facilitate the voluntary reporting of vulnerabilities, incidents, and cyber threats.
Amendment 264 #
Proposal for a regulation Article 41 a (new) Article 41 a Expert group on technical matters 1. The Commission shall establish an expert group in order to provide technical advice to the Commission and competent authorities on matters related to in the implementation and enforcement of this Regulation. In particular, the expert group shall provide non-binding evaluations of products with digital elements upon request by a market surveillance authority that is conducting an investigation under Article 43 and guidance on the application of relevant concepts to software and the exclusion of free and open source software. 2. The expert group shall consist of independent experts appointed for a renewable three-year term by the Commission on the basis of their scientific or technical expertise in the field. The Commission shall appoint a number of experts which is deemed sufficient to fulfil the foreseen needs, ensuring that their professional background and affiliations result in a balanced representation of stakeholder interests, in particular open source organisations, national accreditation bodies, conformity assessment bodies pursuant to Regulation (EC) 765/2008 of the European Parliament and of the Council, data protection authorities, as well as academia and consumer organisations. 3. The Commission shall take the necessary measures to manage and prevent any conflicts of interest. The Declarations of interests of the members of the expert group shall be made publicly available. 4. The appointed experts shall perform their tasks with the highest level of professionalism, independence, impartiality and objectivity. 5. When adopting positions, views and reports, the expert group shall attempt to reach consensus. If consensus cannot be reached, decisions shall be taken by a qualified majority of the group members.
Amendment 265 #
Proposal for a regulation Article 42 – paragraph 1 Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential requirements set out in Annex I and upon a reasoned request, the market surveillance authorities shall be granted access to the data required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the respective economic operator. Where appropriate, and in accordance with Article 52(1) point (a), this shall be in a secure, controlled environment determined by the manufacturer.
Amendment 266 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 2 Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation or otherwise present threat to national security, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable
Amendment 267 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 2 Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a
Amendment 268 #
Proposal for a regulation Article 43 – paragraph 4 – subparagraph 1 Where the manufacturer of a product with digital elements does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, or the relevant Member States authority consider product to present threat to the national security, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product being made
Amendment 269 #
Proposal for a regulation Article 43 – paragraph 7 7. Where, within three months of receipt of the information referred to in paragraph 4, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. The decision referred to in paragraph 1, concerning threat to national security shall always be deemed justified. This is without prejudice to the procedural rights of the operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.
Amendment 270 #
Proposal for a regulation Article 45 – paragraph 1 1. Where the Commission has sufficient reasons to consider, including based on information provided by the competent authorities of Member States, the computer security incident response teams (CSIRTs) designated or established in accordance with Directive (EU) 2022/2555 or ENISA, that a product with digital elements that
Amendment 271 #
Proposal for a regulation Article 45 – paragraph 1 1. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it
Amendment 272 #
Proposal for a regulation Article 45 – paragraph 2 2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission
Amendment 273 #
Proposal for a regulation Article 45 – paragraph 2 2. In
Amendment 274 #
Proposal for a regulation Article 45 – paragraph 2 2. In
Amendment 275 #
Proposal for a regulation Article 45 – paragraph 3 Amendment 276 #
Proposal for a regulation Article 46 – paragraph 1 1. Where, having performed an evaluation under Article 43, the market surveillance authority of a Member State finds that although a product with digital elements and the processes put in place by the manufacturer are in compliance with this Regulation, they present a significant cybersecurity risk and, in addition, they pose a risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights, the availability authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities of the type referred to in [Annex I to Directive XXX / XXXX (NIS2)] or to other aspects of public interest protection, it shall require the relevant economic operator to take all appropriate measures to ensure that the product with digital elements and the processes put in place by the manufacturer concerned, when placed on the market, no longer present that risk, to withdraw the product with digital elements from the market or to recall it within a
Amendment 277 #
Proposal for a regulation Article 46 – paragraph 2 2. The manufacturer or other relevant economic operators shall ensure that corrective action is taken in respect of the products with digital elements concerned that they have made available on the market throughout the Union within the timeline established by the market surveillance authority of the Member State referred to in paragraph 1.
Amendment 278 #
Proposal for a regulation Article 46 – paragraph 6 6. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements, although compliant with this Regulation, presents the risks referred to in paragraph 1, it
Amendment 279 #
Proposal for a regulation Article 46 – paragraph 7 7. In
Amendment 280 #
Proposal for a regulation Article 46 – paragraph 8 8. Based on ENISA’s evaluation referred to in paragraph 7, the Commission
Amendment 281 #
Proposal for a regulation Article 48 – paragraph 2 2. The Commission or ENISA
Amendment 282 #
Proposal for a regulation Article 48 – paragraph 2 2. The Commission or ENISA
Amendment 283 #
Proposal for a regulation Article 49 – paragraph 1 1. Market surveillance authorities
Amendment 284 #
Proposal for a regulation Article 49 – paragraph 2 2. Unless otherwise agreed upon by the market surveillance authorities involved, sweeps shall be coordinated by the Commission. The coordinator of the sweep
Amendment 285 #
Proposal for a regulation Article 49 – paragraph 3 3. ENISA
Amendment 286 #
Proposal for a regulation Article 49 – paragraph 4 4. When conducting sweeps, the market surveillance authorities involved
Amendment 287 #
Proposal for a regulation Article 49 – paragraph 5 5. Market surveillance authorities
Amendment 288 #
Proposal for a regulation Article 49 a (new) Amendment 289 #
Proposal for a regulation Article 52 – paragraph 1 – point a (a) intellectual property rights
Amendment 290 #
Proposal for a regulation Article 53 – paragraph 3 3. The non-compliance with the essential cybersecurity requirements laid down in Annex I and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to
Amendment 291 #
Proposal for a regulation Article 53 – paragraph 4 4. The non-compliance with any other obligations under this Regulation shall be subject to administrative fines of up to 1
Amendment 292 #
Proposal for a regulation Article 53 – paragraph 6 – point a a (new) (a a) the type of manufactured product and whether entity qualifies as microenterprise for the specific compliance regime outlined in the Article 10(-1) of this Regulation.
Amendment 293 #
Proposal for a regulation Article 53 – paragraph 6 – point c (c) the size and market share of the operator committing the infringement
Amendment 294 #
Proposal for a regulation Chapter VII a (new) CHAPTER VIIa MEASURES IN SUPPORT OF INNOVATION: Article 53a Regulatory sandboxes 1. The Commission and ENISA, shall establish a European regulatory sandbox with voluntary participation of manufacturers of products with digital elements to: (a) provide for a controlled environment that facilitates the development, testing and validation of the design, development and production of products with digital elements, before their placement on the market or putting into service pursuant to a specific plan; (b) provide practical support to economic operators, including via guidelines and best practices to comply with the essential requirements set out in Annex I. (c) contribute to evidence-based regulatory learning.
Amendment 295 #
Proposal for a regulation Article 54 a (new) Article 54 a Amendment to Directive 2020/1828/EC In Annex I to Directive 2020/1828/EC the following point is added: ‘67. [Regulation XXX][Cyber Resilience Act]’.
Amendment 296 #
Proposal for a regulation Article 55 – paragraph 1 1. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to other Union harmonisation legislation shall remain valid until [42 months after the date of entry into force of this Regulation], unless they expire
Amendment 297 #
Proposal for a regulation Article 55 – paragraph 3 a (new) 3 a. By way of derogation, for products with digital elements falling in scope of Regulation [Machinery Regulation proposal] or Regulation (EU) 167/2013 of the European Parliament and of the Council, the application date referred to Article 57 is extended by [36 months].
Amendment 298 #
Proposal for a regulation Article 55 – paragraph 3 b (new) 3 b. By way of derogation for products with digital elements falling in scope of Regulation [Machinery Regulation proposal] or Regulation 2013/167, where the annual new sales in the EU of each type are fewer than [1000] units, the application date referred to Article 57 is extended by [60 months].
Amendment 299 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 300 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from
Amendment 301 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from
Amendment 302 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 303 #
Proposal for a regulation Annex I – Part 1 – point 2 (2) Products with digital elements shall be delivered without any known critical or high severity exploitable vulnerabilities;
Amendment 304 #
Proposal for a regulation Annex I – Part 1 – point 2 (2) Products with digital elements shall be delivered
Amendment 305 #
Proposal for a regulation Annex I – Part 1 – point 3 – introductory part (3) On the basis of the cybersecurity risk assessment referred to in Article 10(2) and where applicable, products with digital elements
Amendment 306 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a (a) be delivered with a secure by default configuration
Amendment 307 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a (a) be delivered with a secure by default configuration, including the possibility to reset the product to its
Amendment 308 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a a (new) (a a) be placed on the market with functional separation of security updates from functionality updates, to allow automatic installation of security updates, with a clear and easy-to-use opt-out mechanism, and preserve user choice on functionalities unless technically unfeasible;
Amendment 309 #
Proposal for a regulation Annex I – Part 1 – point 3 – point c (c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypti
Amendment 310 #
Proposal for a regulation Annex I – Part 1 – point 3 – point c (c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other,
Amendment 311 #
Proposal for a regulation Annex I – Part 1 – point 3 – point d (d) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions or possible unauthorised access;
Amendment 312 #
Proposal for a regulation Annex I – Part 1 – point 3 – point f (f) protect the availability of essential and basic functions, including the resilience against and mitigation of denial of service attacks;
Amendment 313 #
Proposal for a regulation Annex I – Part 1 – point 3 – point i (i) be designed, developed and produced to reduce the impact of a
Amendment 314 #
Proposal for a regulation Annex I – Part 1 – point 3 – point j (j) provide security related information by providing at user request recording and/or monitoring capabilities, locally and at device level for relevant internal activity, including the access to or modification of data, services or functions;
Amendment 315 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k (k) ensure that vulnerabilities can be addressed through security updates, including, where applicable, separate from functionality updates and through automatic updates and the notification of available updates to users.
Amendment 316 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k (k) ensure that vulnerabilities can be addressed through
Amendment 317 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k a (new) (k a) be designed, developed and produced in order to allow for its secure discontinuation and potential recycling when reaching the end of the life cycle, including by allowing users to securely withdraw and remove all data on a permanent basis;
Amendment 318 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 2 (2) in relation to the risks posed to the products with digital elements, address and remediate critical and high vulnerabilities without delay, including by providing security updates or document the reasons for not remediating the vulnerability;
Amendment 319 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 4 (4) once a security update has been made available, publically or according to industry best practice disclose information about fixed known vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities;
Amendment 320 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 4 (4) once a security update has been made available, publically disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities;
Amendment 321 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 4 a (new) (4 a) Information regarding fixes and vulnerabilities is shared and disclosed in a controlled way, respecting principles of ‘harm reduction’ and trade secrets through responsible disclosure of vulnerabilities to the actors who can act to mitigate the vulnerability, and that it is not made publicly available to avoid the risk of inadvertently informing potential attackers;
Amendment 322 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 7 (7) provide for mechanisms to securely distribute security updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner;
Amendment 323 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 8 (8) ensure that, where security patches or updates
Amendment 324 #
Proposal for a regulation Annex II – paragraph 1 – point 2 2. the single point of contact where
Amendment 325 #
Proposal for a regulation Annex II – paragraph 1 – point 6 6. if and, where applicable, where the software bill of materials can be accessed by the competent authorities;
Amendment 326 #
Proposal for a regulation Annex II – paragraph 1 – point 6 6.
Amendment 327 #
Proposal for a regulation Annex II – paragraph 1 – point 8 8. the type of technical security support offered by the manufacturer and until when it will be provided
Amendment 328 #
Proposal for a regulation Annex II – paragraph 1 – point 8 a (new) 8 a. the expected product lifetime end- date, clearly displaying, where applicable, on the packaging of the product, until when the manufacturer shall ensure the effective handling of vulnerabilities and provision of security updates;
Amendment 329 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point a Amendment 330 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point b Amendment 331 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point c a (new) (c a) the expected product lifetime and until when the manufacturer ensures the effective handling of vulnerabilities and provision of security updates;
Amendment 332 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point d Amendment 333 #
Proposal for a regulation Annex III – Part I – point 3 a (new) 3 a. Authentication, Authorization and Accounting (AAA) platforms;
Amendment 334 #
Proposal for a regulation Annex III – Part I – point 15 15. Physical and virtual network interfaces;
Amendment 335 #
Proposal for a regulation Annex III – Part I – point 18 Amendment 336 #
Proposal for a regulation Annex III – Part I – point 23 23. Industrial products with digital elements that can be referred as part of Internet of Things not covered by class II.
Amendment 337 #
Proposal for a regulation Annex III – Part II – point 4 4. Firewalls, security gateways, intrusion detection and/or prevention systems intended for industrial use
Amendment 338 #
Proposal for a regulation Annex III – Part II – point 7 7. Routers, modems intended for the connection to the internet,
Amendment 339 #
Proposal for a regulation Annex III – Part II – point 15 a (new) 15 a. Smart home products, including smart home servers and virtual assistants;
Amendment 340 #
Proposal for a regulation Annex III – Part II – point 15 b (new) 15 b. Smart security devices, including smart door locks, cameras and alarm systems;
Amendment 341 #
Proposal for a regulation Annex III – Part II – point 15 c (new) 15 c. Smart toys and similar devices likely to interact with children;
Amendment 342 #
Proposal for a regulation Annex III – Part II – point 15 d (new) 15 d. Personal health appliances and wearables.
Amendment 343 #
Proposal for a regulation Annex V – paragraph 1 – point 1 – point a Amendment 344 #
Proposal for a regulation Annex V – paragraph 1 – point 2 Amendment 345 #
Proposal for a regulation Annex V – paragraph 1 – point 2 – point a Amendment 346 #
Proposal for a regulation Annex V – paragraph 1 – point 3 3. a
Amendment 347 #
Proposal for a regulation Annex V – paragraph 1 – point 3 3. a
Amendment 57 #
Proposal for a regulation Recital 7 (7) Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all
Amendment 58 #
Proposal for a regulation Recital 7 a (new) (7 a) This Regulation should not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 59 #
Proposal for a regulation Recital 7 b (new) (7 b) This Regulation should not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 60 #
Proposal for a regulation Recital 9 (9) This Regulation ensures a high level of cybersecurity of products with digital elements
Amendment 61 #
Proposal for a regulation Recital 9 (9) This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services,
Amendment 62 #
Proposal for a regulation Recital 9 a (new) (9 a) Software and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. Research by the Commission also shows that free and open-source software can contribute between €65 billion to €95 billion to the Union’s GDP and that it can provide significant growth opportunities for the European economy. Users are allowed to run, copy, distribute, study, change and improve software and data, including models by way of free and open- source licences. To foster the development and deployment of free and open source software, especially by SMEs, start-ups, non-profits, academic research but also by individuals, this Regulation should not apply to such free and open-source software components, except in very specific cases. We must take into account the fact that different development models of software distributed and developed under public licences exist, having a wide range of different roles in such development models. Developers of free and open-source software components should not be mandated under this Regulation to comply with requirements targeting the product value chain and, in particular, not towards the manufacturer that has used that free and open-source software component in a commercial product. Developers of free and open- source software components, as well as all manufacturers that are not subject to stricter compliance rules, should however be encouraged to implement the provisions of Annex I, as a way to increase security, allowing the promotion of trustworthy products with digital elements in the Union.
Amendment 63 #
Proposal for a regulation Recital 10 (10)
Amendment 64 #
Proposal for a regulation Recital 10 (10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 18 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the Union.
Amendment 65 #
Proposal for a regulation Recital 10 (10)
Amendment 66 #
Proposal for a regulation Recital 10 (10)
Amendment 67 #
Proposal for a regulation Recital 10 a (new) (10 a) Due to the permissive nature of open-source licences, open-source software can be used as a component in products without need for the consent or knowledge of the original author, allowing for manufacturers to build new products and services quickly, however open-source software developers are not compensated for this use and often work on the software in their free time. Therefore, when a manufacturer uses open-source software as a component in a product, they should be subject to the obligations of manufacturers for that component, unless otherwise agreed through the provision of commercial technical support either by the developer or a third-party.
Amendment 68 #
Proposal for a regulation Recital 10 a (new) (10 a) Free and open-source software is developed, maintained, and distributed via online platforms. In contrast to app stores that make products available, these entities play an important research and development role. As such, package managers, code hosting, and collaboration platforms do not make software products available on the market as distributors within this Regulation.
Amendment 69 #
Proposal for a regulation Recital 10 b (new) (10 b) Public open-source code and software repositories allow developers to access a wide range of resources for software development, and allow for developers to share their code with the wider open-source community. These repositories operate as a public good, and therefore should not be considered as providers, manufacturers, importers or distributors, nor should their activity be considered as commercial within the meaning of this Regulation.
Amendment 70 #
Proposal for a regulation Recital 11 a (new) (11 a) According to the WTO Agreement on Technical Barriers to Trade, when technical regulations are necessary and relevant international standards exist, WTO Members should use those standards as the basis for their own technical regulations. It is important to avoid duplication of work among standardisation organizations, as international standards are intended to facilitate the harmonization of national and regional technical regulations and standards, thereby reducing non-tariff technical barriers to trade. Given that cybersecurity is a global issue, the Union should strive for maximum alignment. To achieve this objective, the standardization request for this Regulation, as set out in Article 10 of Regulation 1025/2012, should seek to reduce barriers to the acceptance of standards by publishing their references in the Official Journal of the EU, in accordance with Article 10 (6) of Regulation 1025/2012.
Amendment 71 #
Proposal for a regulation Recital 11 b (new) (11 b) Considering the broad scope of this Regulation, the timely development of harmonised standards poses a significant challenge. To enhance the security of products with digital components in the Union market as soon as possible, the Commission should be empowered for a limited time to declare existing international standards for cyber security of products as satisfying the requirements of this Regulation. These standards should be published as standards providing presumption of conformity.
Amendment 72 #
Proposal for a regulation Recital 13 a (new) (13 a) Agricultural and forestry vehicles in scope of Regulation (EU) 167/2013 of the European Parliament and of the Council fall also in the scope of this Regulation. In order to avoid regulatory overlaps, additional cybersecurity requirements in future amendments of Regulation (EU) 167/2013 should not be foreseen.
Amendment 73 #
Proposal for a regulation Recital 16 a (new) (16 a) Without prejudice to the rules set out in Directive 85/374/EEC, manufacturers should also be liable for the damages suffered by consumers that are caused by their infringement of the legal obligations and cybersecurity requirements set out in this Regulation. Such compensation should be in accordance with the rules and procedures set out in the applicable national law and without prejudice to other possibilities for redress available under consumer protection rules.
Amendment 74 #
Proposal for a regulation Recital 19 (19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881. In particular, ENISA should receive notifications from manufacturers of actively exploited vulnerabilities contained in products with digital elements, as well as incidents having an impact on the security of those products. ENISA should also forward these notifications to the relevant Computer Security Incident Response Teams (CSIRTs) or, respectively, to the relevant single points of contact of the Member States designated in accordance with Article [Article X] of Directive [Directive XXX / XXXX (NIS2)], and inform the relevant market surveillance authorities about the notified vulnerability. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group referred to in Directive [Directive XXX / XXXX (NIS2)]. Furthermore, considering its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, it should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which simultaneous coordinated control actions should be organised. In exceptional
Amendment 75 #
Proposal for a regulation Recital 19 (19) Certain tasks provided for in this Regulation should be carried out by
Amendment 76 #
Proposal for a regulation Recital 20 (20) Products with digital elements should bear the CE marking to visibly, legibly and indelibly indicate their conformity with this Regulation so that they can move freely within the internal market. Member States should not create unjustified obstacles to the placing
Amendment 77 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that
Amendment 78 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected
Amendment 79 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs such as minor adjustment of the source code that can improve the security and functioning, could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the hazard has changed or the level of risk has increased because of the software update.
Amendment 80 #
Proposal for a regulation Recital 23 (23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation or when the intended purpose of that product changes, , it is appropriate that the compliance of the product with digital elements is verified and that, where applicable,
Amendment 81 #
Proposal for a regulation Recital 23 (23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs that may affect the compliance of a product with this Regulation
Amendment 82 #
Proposal for a regulation Recital 24 a (new) (24 a) Manufacturers of products with digital elements should ensure that software updates are provided in a clear and transparent way and clearly differentiate between security and functionality updates. Whilst security updates are designed to decrease the level of risk of a product with digital elements, the uptake of functionality updates provided by the manufacturer should always remain a user choice. Manufacturers should therefore provide these updates separately, unless technically unfeasible. Manufacturers should provide consumers with adequate information on the reasons behind each update and its foreseen impact on the product, as well as a clear and easy-to-use opt-out mechanism.
Amendment 83 #
Proposal for a regulation Recital 24 a (new) (24 a) Manufacturers should clearly differentiate between security and functionality updates, and ensure that they are provided separately in a clear and transparent way. Manufacturers should therefore provide these updates separately, unless technically unfeasible. Manufacturers should provide consumers with adequate information on the motive behind each update and its foreseen impact on the product, as well as a clear and easy-to-use opt-out mechanism.
Amendment 84 #
Proposal for a regulation Recital 25 (25) Products with digital elements should be considered critical if the negative impact of the exploitation of potential cybersecurity vulnerabilities in the product can be severe due to, amongst others, the cybersecurity-related functionality,
Amendment 85 #
Proposal for a regulation Recital 25 (25) Products with digital elements should be considered critical if the negative impact of the exploitation of potential cybersecurity vulnerabilities in the product can be severe due to, amongst others, the cybersecurity-related functionality,
Amendment 86 #
Proposal for a regulation Recital 26 (26) Critical products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For this purpose, critical products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in
Amendment 87 #
Proposal for a regulation Recital 28 (28) This Regulation addresses cybersecurity risks in a targeted manner. Products with digital elements might, however, pose other safety risks, that are not always related to cybersecurity but can be a consequence of a security breach. Those risks should continue to be regulated by other relevant Union product legislation as a rule if a higher level of protection is conferred. If not, safety risks in connection with the cybersecurity functions of products with digital elements should fall within the scope of this Regulation. If no other Union harmonisation legislation is applicable, they should be subject to Regulation [General Product Safety Regulation]. Therefore, in light of the targeted nature of this Regulation, as a derogation from Article 2(1), third subparagraph, point (b), of Regulation [General Product Safety Regulation], Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation [General Product Safety Regulation] should apply to products with digital elements with respect to safety risks not covered by this Regulation, if those products are not subject to specific requirements imposed by other Union harmonisation legislation within the meaning of [Article 3, point (25) of the General Product Safety Regulation].
Amendment 88 #
Proposal for a regulation Recital 28 (28) This Regulation addresses cybersecurity risks in a targeted manner
Amendment 89 #
Proposal for a regulation Recital 29 (29) Products with digital elements classified as high-risk AI systems according to Article 6 of Regulation27 [the AI Regulation] which fall within the scope of this Regulation should comply with the essential requirements set out in this Regulation. When those high-risk AI systems fulfil the essential requirements of this Regulation, they should be deemed compliant with the cybersecurity requirements set out in Article [Article 15] of Regulation [the AI Regulation] in so far as those requirements are covered by the EU declaration of conformity or parts thereof issued under this Regulation. As regards the conformity assessment procedures relating to the essential cybersecurity requirements of a product with digital elements covered by this Regulation and classified as a high-risk AI system, the relevant provisions of Article 43 of Regulation [the AI Regulation] should apply as a rule instead of the respective provisions of this Regulation.
Amendment 90 #
Proposal for a regulation Recital 30 Amendment 91 #
Proposal for a regulation Recital 30 (30) The machinery products falling within the scope of Regulation [Machinery Regulation proposal] which are products with digital elements within the meaning of this Regulation and for which a declaration of conformity has been issued on the basis of this Regulation should be deemed to be in conformity with the essential health and safety requirements set out in [Annex III, sections 1.1.9 and 1.2.1] of the Regulation [Machinery Regulation proposal], as regards protection against corruption and safety and reliability of control systems in so far as the compliance with those requirements is demonstrated by the EU declaration of conformity issued under this Regulation without prejudice to products with digital elements, which are also machinery products that fall within the categories listed in Annex I of Regulation [Machinery Regulation proposal], being subject to the specific conformity assessment procedure as required by Article 21(2) and (3) of Regulation [Machinery Regulation proposal].
Amendment 92 #
Proposal for a regulation Recital 31 (31) Regulation [European Health Data Space Regulation proposal] complements the essential requirements laid down in this Regulation. The electronic health record systems (‘EHR systems’) falling under the scope of Regulation [European Health Data Space Regulation proposal] which are products with digital elements within the meaning of this Regulation should therefore also comply with the essential requirements set out in this Regulation
Amendment 93 #
Proposal for a regulation Recital 32 (32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling
Amendment 94 #
Proposal for a regulation Recital 32 (32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling and ensure that all their products are delivered without any known exploitable vulnerabilities, they should determine which other essential requirements related to the product properties are relevant for the concerned type of product. For this purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential requirements and in order to appropriately apply suitable harmonised standards
Amendment 95 #
Proposal for a regulation Recital 32 a (new) (32 a) In order to ensure the products are designed, developed and produced in line with essential requirements foreseen in Section 1 of Annex I, manufacturers should exercise due diligence when integrating components sourced from third parties in products with digital elements. Given that such components are tailored to and integrated taken into account the specificities of the product, in particular in the case of free and open source software that have not been placed on the market in exchange of financial or other type of monetisation, the manufacturer of the product shall be responsible for ensuring its compliance.
Amendment 96 #
Proposal for a regulation Recital 34 Amendment 97 #
Proposal for a regulation Recital 34 a (new) (34 a) ENISA should be responsible for publishing and maintaining a database of known exploited vulnerabilities. Manufacturers should monitor the database and notify vulnerabilities found in their products.
Amendment 98 #
Proposal for a regulation Recital 35 Amendment 99 #
Proposal for a regulation Recital 35 (35) Manufacturers should also report to ENISA any incident having an impact on the security of the product with digital
source: 746.662
2023/05/04
ITRE
423 amendments...
Amendment 124 #
Proposal for a regulation Title 1 Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on
Amendment 125 #
Proposal for a regulation Recital 1 (1)
Amendment 126 #
Proposal for a regulation Recital 4 (4) While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. The various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products and adding an unnecessary burden on companies to comply with a number of requirements for similar types of products. The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market. This makes it necessary to regulate the field at Union level. The Union regulatory landscape should be harmonised by introducing cybersecurity requirements for products with digital elements. In addition, certainty for operators and users should be ensured across the Union, as well as a better harmonisation of the single market, proportionality for micro, small and medium sized enterprises, thus creating more viable conditions for operators aiming at entering the Union
Amendment 127 #
Proposal for a regulation Recital 7 (7) Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all
Amendment 128 #
Proposal for a regulation Recital 7 a (new) (7a) This regulation should not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 129 #
Proposal for a regulation Recital 7 b (new) (7b) This regulation should not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 130 #
Proposal for a regulation Recital 8 a (new) (8a) Directive (EU) 2022/2555 puts in place cybersecurity and incident reporting requirements for essential and important entities, such as critical infrastructure, with a view to increasing the resilience of the services they provide. It applies to cloud computing services and cloud service models, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Network as a Service (NaaS). All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises and the smaller providers of cloud computing services identified in accordance with Article 2(2) fall in the scope of that Directive.
Amendment 131 #
Proposal for a regulation Recital 9 (9) This Regulation ensures a high level of cybersecurity of products with digital elements
Amendment 132 #
Proposal for a regulation Recital 9 (9) This Regulation does not regulate the cloud computing services, it ensures a high level of cybersecurity of products with digital elements.
Amendment 133 #
Proposal for a regulation Recital 9 (9) This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by or on behalf of the manufacturer of the product concerned
Amendment 134 #
Proposal for a regulation Recital 9 a (new) (9a) Software and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. Research by the European Commission also shows that free and open-source software can contribute between €65 billion to €95 billion to the European Union’s GDP and that it can provide significant growth opportunities for the European economy. Users are allowed to run, copy, distribute, study, change and improve software and data, including models by way of free and open-source licences. To foster the development and deployment of free and open source software, especially by SMEs, start-ups, non-profits, academic research but also by individuals, this Regulation should not apply to such free and open-source software components, except in very specific cases. We must take into account the fact that different development models of software distributed and developed under public licences exist, having a wide a range of different roles in such development models. For example commercial open-source exists and is generally developed by a single organisation or an asymmetric community, where a single organisation is generating significant revenues from related use in business relationships. In contrast, vendor-neutral free and open source is developed by a symmetric community, sometimes under the governance of a non-profit organisation, ensuring transparency and neutrality in the development model and with no direct revenues from related use in business relationships. This is why this Regulation should differentiate and the independent developers of free and open-source software components should not be mandated under this Regulation to comply with requirements targeting the product value chain and, in particular, not towards the manufacturer that has used that free and open-source software component in a commercial product. Developers of free and open-source software components, as well as all manufacturers that are not subject to stricter compliance rules, should however be encouraged to implement the provisions of Annex I, as a way to increase security, allowing the promotion of trustworthy products with digital elements in the EU.
Amendment 135 #
Proposal for a regulation Recital 10 (10)
Amendment 136 #
Proposal for a regulation Recital 10 (10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Nonetheless, in order to ensure that individual or micro developers of software as defined in Commission Recommendation 2003/361/EC do not face major financial obstacles and are not discouraged from testing the proof of concept as well as the business case on the market, these entities shall be required to make best efforts in order to comply with the requirements in this proposal during the 12 months from placing a software on the market. This special regime will prevent the chilling effect of high compliance and entry costs could have on entrepreneurs or skilled individuals who consider developing software in the European Union.
Amendment 137 #
Proposal for a regulation Recital 10 (10)
Amendment 138 #
Proposal for a regulation Recital 10 (10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of
Amendment 139 #
Proposal for a regulation Recital 10 (10) In order to enhance the collaborative development of free and open source software and not to hamper innovation or research, only free and open- source software
Amendment 140 #
Proposal for a regulation Recital 10 (10) In order not to hamper innovation or research, only free and open-source software developed or supplied
Amendment 141 #
Proposal for a regulation Recital 10 (10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity
Amendment 142 #
Proposal for a regulation Recital 10 a (new) (10a) The lack of professional skills in the field of cybersecurity is a key issue to be tackled for the succesful application of this Regulation. Therefore, in line with the European Commission Communication "Closing the cybersecurity talent gap to boost the EU's competitiveness, growth and resilience ('The Cybersecurity Skills Academy')", specific measures both at EU and Member States level should be put in place to assess the state and the evolution of cybersecurity labour market and create a single point of entry and synergies for cybersecurity education and training offers with the aim of establishing a common EU approach to cybersecurity training.
Amendment 143 #
Proposal for a regulation Recital 13 a (new) (13a) Agricultural and forestry vehicles in scope of Regulations (EU) 167/2013 of the European Parliament and of the Council fall also in the scope of this Regulation. In order to avoid regulatory overlaps, additional cybersecurity requirements in future amendments of Regulation (EU) 167/2013 should not be foreseen.
Amendment 144 #
Proposal for a regulation Recital 14 a (new) (14a) This Regulation should not apply to spare parts that are exclusively manufactured in order to repair and update products with digital elements that have been placed on the market before the application date of this Regulation.
Amendment 145 #
Proposal for a regulation Recital 19 (19) C
Amendment 146 #
Proposal for a regulation Recital 19 (19) Certain tasks provided for in this Regulation should be carried out by ENISA, in accordance with Article 3(2) of Regulation (EU) 2019/881. In particular, ENISA should receive notifications from manufacturers of actively exploited vulnerabilities contained in products with digital elements, as well as incidents having an impact on the security of those products. ENISA should also forward these notifications to the relevant Computer
Amendment 147 #
Proposal for a regulation Recital 19 a (new) (19a) ENISA should publish and maintain a known exploited vulnerability catalogue that should be included in the European vulnerability database established under Directive 2022/2555 (NIS2). The catalogue should assist manufacturers in detecting known exploitable vulnerabilities and notify vulnerabilities found in their products, in order to ensure that secure products are placed on the market.
Amendment 148 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, b
Amendment 149 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. Modifications to open source software aimed at fixing vulnerabilities or improving performance should not not be considered as substantial. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the
Amendment 150 #
Proposal for a regulation Recital 22 (22) In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential requirements should be set out for such products. When the products are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer and that may imply that they no longer meet the relevant essential requirements, the modification should be considered as substantial. For example, software updates or repairs such as minor adjustment of the source code that can improve the security and functioning, could be assimilated to maintenance operations provided that they do not modify a product already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended use for which the product has been assessed may be changed. As is the case for physical repairs or modifications, a product with digital elements should be considered as substantially modified by a software change where the software update modifies the original intended functions, type or performance of the product and these changes were not foreseen in the initial risk assessment, or the nature of the hazard has changed or the level of risk has
Amendment 151 #
Proposal for a regulation Recital 23 (23) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, whenever a substantial modification occurs
Amendment 152 #
Proposal for a regulation Recital 24 a (new) (24a) Manufacturers of products with digital elements should ensure that software updates are provided in a clear and transparent way and clearly differentiate between security and functionality updates. Whilst security updates are designed to decrease the level of risk of a product with digital elements, the uptake of functionality updates provided by the manufacturer should always remain a user choice. Manufacturers should therefore provide these updates separately, unless technically unfeasible. Manufacturers should provide consumers with adequate information on the reasons behind each update and its foreseen impact on the product, as well as a clear and easy-to-use opt-out mechanism.
Amendment 153 #
Proposal for a regulation Recital 24 a (new) (24a) Manufacturers of products with digital elements shall provide software updates in a clear and transparent way in order to enhance the security protection and the functionality of the products, during the entire duration of the product's expected lifetime. Functionality and security updates shall be differentiated and users shall be clearly informed by the manufacturers regarding the nature and features of the updates. Software updates shall not intentionally affect the functionalities and the intended use of the products nor lessen its expected period of lifetime.
Amendment 154 #
Proposal for a regulation Recital 25 (25) Products with digital elements should be considered critical if the negative impact of the exploitation of potential cybersecurity vulnerabilities in the product can be severe due to, amongst others, the cybersecurity-related functionality,
Amendment 155 #
Proposal for a regulation Recital 26 (26) Critical products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For this purpose, critical products with digital
Amendment 156 #
Proposal for a regulation Recital 26 (26) Critical products with digital elements should be subject to stricter third- party conformity assessment procedures,
Amendment 157 #
Proposal for a regulation Recital 26 (26) Critical products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For this purpose, critical products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to these categories of products. A potential cyber incident involving products in class II might lead to greater negative impacts than an incident involving products in class I, for instance due to the nature of their cybersecurity-related function or intended use in
Amendment 158 #
Proposal for a regulation Recital 28 (28) This Regulation addresses cybersecurity risks in a targeted manner. Products with digital elements might, however, pose other safety risks, that are not always related to cybersecurity but can be a consequence of a security breach. Those risks should continue to be regulated by other relevant Union product legislation as a rule if a higher level of protection is conferred. If not, safety risks in connection with the cybersecurity functions of products with digital elements should fall within the scope of this Regulation. If no other Union harmonisation legislation is applicable, they should be subject to Regulation [General Product Safety Regulation]. Therefore, in light of the
Amendment 159 #
Proposal for a regulation Recital 30 Amendment 160 #
Proposal for a regulation Recital 31 (31) Regulation [European Health Data Space Regulation proposal] complements the essential requirements laid down in this Regulation. The electronic health record systems (‘EHR systems’) falling under the scope of Regulation [European Health Data Space Regulation proposal] which are products with digital elements within the meaning of this Regulation should therefore also comply with the essential requirements set out in this Regulation
Amendment 161 #
Proposal for a regulation Recital 32 (32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as throughout their life-cycle, it is necessary to lay down essential requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential requirements related to vulnerability handling
Amendment 162 #
Proposal for a regulation Recital 32 (32) In order to ensure that products with digital elements are secure both at the time of their placing on the market as well
Amendment 163 #
Proposal for a regulation Recital 32 a (new) (32a) In order to ensure the products are designed, developed and produced in line with essential requirements foreseen in Section 1 of Annex I, manufacturers should exercise due diligence when integrating components sourced from third parties in products with digital elements. Given that such components are tailored to and integrated taken into account the specificities of the product, in particular in the case of free and open source software that have not been placed on the market in exchange of financial or other type of monetisation, the manufacturer of the product shall be responsible for ensuring its compliance.
Amendment 164 #
Proposal for a regulation Recital 34 (34) To ensure that the national CSIRTs and the single point of contacts designated in accordance with Article [Article X] of Directive
Amendment 165 #
Proposal for a regulation Recital 34 a (new) (34a) Dependencies on high-risk suppliers of critical products with digital elements intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)] pose a strategic risk that needs to be mitigated at Union level. To mitigate this strategic risk there is a need to move beyond non- binding initiatives, such as the 5G toolbox, and move towards a binding toolbox for reducing critical ICT supply chain risks adopted as a delegated act. It should leverage the lessons learned from those past and national experiences, be based upon a risk assessment and offer strategic risk mitigation measures. Critical products with digital elements used in critical sectors should therefore be subjected to a strategic supply chain risk assessment that includes non-technical factors to assess the risk of the manufacturer being subject to undue interference from a third country. Those factors may include the jurisdiction of the supplier/manufacturer and the characteristics of the supplier’s corporate ownership and the links of control to a third-country government where it is established. A high risk is attributed to a third country’s legislation that obliges arbitrary access to any kind of company data, that would e.g. allow it to conduct economic espionage, without legislative or democratic checks and balances, meaningful oversight mechanisms or the right to appeal to an independent judiciary. A high risk is also attributed where a manufacturer is operating under foreign ownership or control that has the power, direct or indirect, whether or not exercised, to direct or decide matters affecting the management or operations of the manufacturer, or in case of opaque ownership structures, which are are state- owned or controlled. Not all instances of control will create security risks, but what should be considered is the extent to which the use of the critical product by the entities: (a) includes access to sensitive or classified information or assets, (b) relates to the storage or transport of sensitive materials or substances, (c) relates to the provision of security services for physical sites or facilities, (d) is for, or relates to, the storage or protection of sensitive or classified information. Non-technical risk factors should not impede procurement from entities established in likeminded strategic partner countries.
Amendment 166 #
Proposal for a regulation Recital 35 (35) Manufacturers should also report to ENISA any incident having an impact on the security of the product with digital elements. Notwithstanding the incident reporting obligations in Directive [Directive XXX/XXXX (NIS2)] for essential and important entities, it is crucial for ENISA, the single points of contact designated by the Member States in
Amendment 167 #
Proposal for a regulation Recital 35 (35) Manufacturers should also report to
Amendment 168 #
Proposal for a regulation Recital 35 a (new) (35a) The manufacturers of products with digital elements are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional burdens and may also lead to uncertainties with regard to the format and procedures of such notifications. In view of this and, for the purposes of simplifying the reporting of security incidents, Member States should establish a single entry point for all notifications required under this Regulation, Directive (EU) 2022/2555, and possibly also under other Union law such as Regulation (EU) 2016/679 and Directive 2002/58/EC. The Commission should develop and adopt common notification templates by means of implementing acts that would simplify and streamline the reporting information requested by Union law and decrease the burdens for companies.
Amendment 169 #
Proposal for a regulation Recital 35 a (new) (35a) To minimise bureaucratic burden, especially on SMEs, there should be only two reporting stages after discovering an actively exploited vulnerability and the reportings should include only necessary information to make the competent authority aware of the incident and the measures taken and allow for the entity to seek assistance. The early warning after 24 hours should be seen as first notification with only the most essential information to raise ENISA’s awareness of the incident. After 72 hours, a manufacturer should state more precisely which measures were taken after the incident.
Amendment 170 #
Proposal for a regulation Recital 35 a (new) (35a) Reporting should be as convenient and efficient as possible. For this purpose, ENISA should provide for an online system into which all requested information can be inserted.
Amendment 171 #
Proposal for a regulation Recital 36 (36) Manufacturers of products with digital elements should put in place
Amendment 172 #
Proposal for a regulation Recital 36 (36) Manufacturers of products with digital elements should put in place additional own coordinated vulnerability disclosure policies to facilitate the reporting of vulnerabilities by individuals or entities. A coordinated vulnerability disclosure policy should specify a structured process through which vulnerabilities are reported to a manufacturer in a manner allowing the manufacturer to diagnose and remedy such vulnerabilities before detailed vulnerability information is disclosed to third parties or to the public. Given the fact that information about exploitable vulnerabilities in widely used products with digital elements can be sold at high prices on the black market, manufacturers of such products should be able to use programmes, as part of their coordinated vulnerability disclosure policies, to incentivise the reporting of vulnerabilities by ensuring that individuals or entities receive recognition and compensation for their efforts (so-called ‘bug bounty programmes’).
Amendment 173 #
Proposal for a regulation Recital 37 (37) In order to facilitate vulnerability
Amendment 174 #
Proposal for a regulation Recital 38 (38) In order to facilitate assessment of conformity with the requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements which are in conformity with harmonised horizontal or domain specific standards, which translate the essential requirements of this Regulation into detailed technical specifications, and which are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council29. Regulation (EU) No 1025/2012 provides for a procedure for objections to harmonised standards where those standards do not entirely satisfy the requirements of this Regulation. _________________ 29 Regulation (EU) No 1025/2012 of the
Amendment 175 #
Proposal for a regulation Recital 38 a (new) (38a) According to the WTO Agreement on Technical Barriers to Trade, when technical regulations are necessary and relevant international standards exist, WTO Members should use those standards as the basis for their own technical regulations. It is important to avoid duplication of work among standardisation organisations, as international standards are intended to facilitate the harmonisation of national and regional technical regulations and standards, thereby reducing non-tariff technical barriers to trade. Given that cybersecurity is a global issue, the EU should strive for maximum alignment. To achieve this objective, the standardisation request for this Regulation, as set out in Article 10 of Regulation (EU) 1025/2012, should seek to reduce barriers to the acceptance of standards by publishing their references in the Official Journal of the EU, in accordance with Article 10(6) of Regulation (EU) 1025/2012.
Amendment 176 #
Proposal for a regulation Recital 38 b (new) (38b) Considering the broad scope of this Regulation, the timely development of harmonised standards poses a significant challenge. To enhance the security of products with digital components in the Union market, international standards should be published as a standard providing presumption of conformity.
Amendment 177 #
Proposal for a regulation Recital 39 (39) Regulation (EU) 2019/881 establishes a voluntary European cybersecurity certification framework for ICT products, processes and services. European cybersecurity certification schemes
Amendment 178 #
Proposal for a regulation Recital 41 Amendment 179 #
Proposal for a regulation Recital 41 (41) Where no harmonised standards are adopted or where the harmonised standards do not sufficiently address the essential requirements of this Regulation, the Commission should be able to adopt common specifications by means of implementing acts. Reasons for developing such common specifications, instead of relying on harmonised standards, might include a refusal of the standardisation request by any of the European standardisation organisations, undue delays in the establishment of appropriate harmonised standards, or a lack of compliance of developed standards with the requirements of this Regulation or with a request of the Commission. When developing such common specifications, the Commission should take into consideration the relevant international standards. In order to facilitate assessment of conformity with the essential requirements laid down by this Regulation, there should be a presumption of conformity for products with digital elements that are in conformity with the common specifications adopted by the Commission according to this Regulation for the purpose of expressing detailed technical specifications of those requirements.
Amendment 180 #
Proposal for a regulation Recital 41 (41) Where no harmonised standards are adopted, and after taking in due consideration widely accepted international standards, or where the harmonised standards do not sufficiently address the essential requirements of this Regulation, the Commission should be able to adopt common specifications by means of
Amendment 181 #
Proposal for a regulation Recital 45 (45) As a general rule the requirements for the conformity assessment of products with digital elements should be risk-based and to that regard in many cases the assessment could be carried out by the manufacturer under its own responsibility following the procedure based on Module
Amendment 182 #
Proposal for a regulation Recital 45 (45) As a general rule the conformity assessment of products with digital elements should be carried out by the manufacturer under its own responsibility following the procedure based on Module A of Decision 768/2008/EC. The manufacturer should retain flexibility to choose a stricter conformity assessment procedure involving a third
Amendment 183 #
Proposal for a regulation Recital 53 (53) In the interests of competitiveness, it is crucial that notified bodies apply the conformity assessment procedures without creating unnecessary burden for economic operators, in particular for micro, small, medium sized enterprises. In this regard, Member States, with the support of the Commission, should ensure that there is an adequate availability of cybersecurity skilled professionals in order to ensure that notified bodies can carry out their activities efficiently thus facilitating economic operators' compliance to this Regulation. For the same reason, and to ensure equal treatment of economic operators, consistency in the technical application of the conformity assessment procedures needs to be ensured. That should be best achieved through appropriate coordination and cooperation between notified bodies.
Amendment 184 #
Proposal for a regulation Recital 53 (53) In the interests of competitiveness, it is crucial that notified bodies apply the conformity assessment procedures without creating unnecessary burden
Amendment 185 #
Proposal for a regulation Recital 53 a (new) (53a) In order to increase efficiency and transparency, the Commission should within 24 months from the entry into force of this Regulation, ensure that there is a sufficient number of notified bodies in the Union to carry out a conformity assessment, in order to avoid bottlenecks and hindrances to market entry.
Amendment 186 #
Proposal for a regulation Recital 56 (56) A dedicated administrative cooperation group (ADCO) for cyber resilience of products with digital elements should be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. This ADCO should be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of the single liaison offices. The Commission should support and encourage cooperation between market surveillance authorities through the Union Product Compliance Network, established on the basis of Article 29 of Regulation (EU) 2019/1020 and comprising representatives from each Member State, including a representative of each single liaison office referred to in Article 10 of Regulation (EU) 2019/1020 and an optional national expert, the chairs of ADCOs, and representatives from the Commission. The Commission should participate in the meetings of the Network, its sub-groups and this respective ADCO. It should also assist this ADCO by means of an executive secretariat that provides technical and logistic support.
Amendment 187 #
Proposal for a regulation Recital 57 a (new) (57a) In this framework, in order to provide updated information on the cyber security of critical products with digital elements, as defined in Annex III, the Commission should consider the adoption of measures aimed at informing the market on products that, according to Article 10 (6) of this Regulation, will not receive any further cyber security management.
Amendment 188 #
Proposal for a regulation Recital 61 (61) Simultaneous coordinated control actions (‘sweeps’) are specific enforcement actions by market surveillance authorities that can further enhance product security. Sweeps should, in particular, be conducted where market trends, consumer complaints or other indications suggest that certain product categories are often found to present cybersecurity risks. ENISA should submit proposals for categories of products for which sweeps could be organised to the market surveillance authorities, based, among others, on the notifications of product vulnerabilities and incidents it receives. ENISA should also coordinate national market surveillance authorities for regular checks of products with digital elements placed on the market by manufacturers that might present a security risk for the EU, with particular regard to identifying exploitable vulnerabilities.
Amendment 189 #
Proposal for a regulation Recital 62 (62) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission in respect of updates to the list of critical products in Annex III and specifying the definitions of the these product categories. Power to adopt acts in accordance with that Article should be delegated to the Commission to identify products with digital elements covered by other Union rules which achieve the same level of protection as this Regulation, specifying whether a limitation or exclusion from the scope of this Regulation would be necessary as well as the scope of that limitation, if applicable. Power to adopt acts in accordance with that Article should also be delegated to the Commission in respect of the potential mandating of certification of certain highly critical products with digital elements based on criticality crieria set out in this Regulation, as well as for specifying the minimum content of the EU declaration of conformity and supplementing the elements to be included in the technical documentation. Powers to adopt acts should also be delegated to the Commission to specify the format and elements of the software bill of materials, specify further the type of information, format and procedure of the notifications on actively exploited vulnerabilities and incidents submitted to ENISA by manufacturers. The Commission is also empowered to adopt delegated acts to establish common specifications in respect of the essential requirements set out in Annex I. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making33. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
Amendment 190 #
Proposal for a regulation Recital 62 (62) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission in respect of updates to the list of critical products in Annex III and specifying the definitions of the these product categories. Such updates shall be carried out periodically by the Commission, ensuring timely changes to the list of critical products in Annex III. Power to adopt acts in accordance with that Article should be delegated to the Commission to identify products with digital elements covered by other Union rules which achieve the same level of protection as this Regulation, specifying whether a limitation or exclusion from the scope of this Regulation would be necessary as well as the scope of that limitation, if applicable. Power to adopt acts in accordance with that Article should also be delegated to the Commission in respect of the potential mandating of certification of certain highly critical products with digital elements based on criticality crieria set out in this Regulation, as well as for specifying the minimum
Amendment 191 #
Proposal for a regulation Recital 63 (63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to:
Amendment 192 #
Proposal for a regulation Recital 63 (63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to, in open consultation with stakeholders and in consideration of international and industry standards: specify the format and elements of the software bill of materials, specify further the type of information, format and procedure of the notifications on actively exploited vulnerabilities and incidents
Amendment 193 #
Proposal for a regulation Recital 63 (63) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should
Amendment 194 #
Proposal for a regulation Recital 65 (65) In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national laws for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account and as a minimum those explicitly established in this Regulation, including whether the manufacturer is SME, with particular attention payed to micro manufacturers and start-ups, or whether administrative fines have been already applied by other market surveillance authorities to the same operator for similar infringements. Such circumstances can be either aggravating, in situations where the infringement by the same operator persists on the territory of other Member States than the one where an administrative fine has already been applied, or mitigating, in ensuring that any other administrative fine considered by another market surveillance authority for the same economic operator or the same type of breach should already take account, along with other relevant specific circumstances, of a penalty and the quantum thereof imposed in other Member States. In all such cases, the cumulative administrative fine that could be applied by market surveillance authorities of several Member States to the same economic operator for the same type of infringement should ensure the respect of the principle of proportionality.
Amendment 195 #
Proposal for a regulation Recital 65 (65) In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national laws for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account, notably the economic operator's size, whether it is a micro, small or medium sized enterprise, and as a minimum th
Amendment 196 #
Proposal for a regulation Recital 66 a (new) (66a) The revenues generated from the payments of penalties should be used to strengthen the level of cybersecurity within the Union, including by developing capacity and skills related to cybersecurity, improving economic operators' cyber resilience, in particular of micro, small and medium sized enterprises and more in general fostering public awareness of cyber security issues.
Amendment 197 #
Proposal for a regulation Recital 69 (69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [12
Amendment 198 #
Proposal for a regulation Recital 69 (69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [
Amendment 199 #
Proposal for a regulation Recital 69 (69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [
Amendment 200 #
Proposal for a regulation Recital 69 (69) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. This Regulation should apply [32
Amendment 201 #
Proposal for a regulation Recital 69 a (new) Amendment 202 #
Proposal for a regulation Recital 69 a (new) (69a) This Regulation may generate additional costs to micro, small and medium-sized enterprises. In order to support these enterprises that may face additional costs, the Commission should establish financial and technical support that allows for these companies to contribute to the European cybersecurity landscape.
Amendment 203 #
Proposal for a regulation Recital 70 a (new) (70a) This Regulation is without prejudice to the Member States’ prerogatives to take measures safeguarding national security, in compliance with Union law. Member States should be able to apply additional measures to products with digital elements that are used for military, defence or national security purposes.
Amendment 204 #
Proposal for a regulation Article 1 – paragraph 1 – point d (d) rules on market monitoring, market surveillance and enforcement of the above- mentioned rules and requirements.
Amendment 205 #
Proposal for a regulation Article 1 – paragraph 1 – point d (d) rules on market monitoring, surveillance and enforcement of the above- mentioned rules and requirements.
Amendment 206 #
Proposal for a regulation Article 2 – paragraph 1 1. This Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to an external device or network. This Regulation does not apply to the electronic communications networks as defined in Article 2, point (1), of Directive (EU) 2018/1972 in which products with digital elements are integrated.
Amendment 207 #
Proposal for a regulation Article 2 – paragraph 1 1. This Regulation applies to products with digital elements placed on the market whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
Amendment 208 #
Proposal for a regulation Article 2 – paragraph 1 1. This Regulation applies to products with digital elements
Amendment 209 #
Proposal for a regulation Article 2 – paragraph 1 1. This Regulation applies to products with digital elements whose intended
Amendment 210 #
Proposal for a regulation Article 2 – paragraph 2 – point c a (new) (ca) Regulation (EU) 2022/2554.
Amendment 211 #
Proposal for a regulation Article 2 – paragraph 3 3. This Regulation does not apply to products with digital elements that have been certified in accordance with Regulation (EU) 2018/1139, nor to products with digital elements that are isolated from external devices and networks.
Amendment 212 #
Proposal for a regulation Article 2 – paragraph 3 a (new) 3a. This Regulation shall not apply to software provided under free and open- source licences, including its source code and modified versions, except when such software is provided as a paid or monetised product. The compliance of free and open-source components of products shall be ensured by the manufacturer of the product.
Amendment 213 #
4a. This regulation does not apply to spare parts that are exclusively manufactured in order to repair products with digital elements that have been placed on the market before the application date of this regulation referred to in Article 57.
Amendment 214 #
Proposal for a regulation Article 2 – paragraph 5 5. This Regulation does not apply to products with digital elements developed exclusively for public security, national security, defence or military purposes or to products specifically designed to process classified information.
Amendment 215 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5a. This Regulation does not apply to any supply of a product with digital elements for distribution and use on the Union market where such supply, distribution, and use exclusively occurs within the same group of companies within the meaning of Article 2(13) of Regulation (EU) 2015/848.
Amendment 216 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5a. This Regulation does not apply to free and open-source software, including its source code and modified versions, except when such software is provided in exchange for a price or as a monetised product with the intention of making a profit rather than performing maintenance.
Amendment 217 #
Proposal for a regulation Article 2 – paragraph 5 a (new) 5a. This regulation does not apply to free and open source software supplied outside the course of a commercial activity.
Amendment 218 #
Proposal for a regulation Article 2 – paragraph 5 b (new) 5b. 6 (new) This Regulation does not apply to the internal networks of a product with digital elements if these networks have dedicated endpoints and are secured from external data connection.
Amendment 219 #
Proposal for a regulation Article 2 – paragraph 5 c (new) 5c. 7 (new) This Regulation shall not apply to spare parts intended solely to replace defective parts of products with digital elements, in order to restore their functionality.
Amendment 220 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘product with digital elements’ means any software or hardware product
Amendment 221 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘product with digital elements’ means any software or hardware product
Amendment 222 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 (1) ‘product with digital elements’ means any software or hardware product
Amendment 223 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 a (new) (1a) ‘consumer product with digital elements’ means any product with digital elements’ to be placed on the market with default generic security configuration;
Amendment 224 #
Proposal for a regulation Article 3 – paragraph 1 – point 1 b (new) (1b) ‘business-to-business product with digital elements’ means any product with digital elements’ to be placed on the market with individual security configuration in accordance with contractual arrangements;
Amendment 225 #
Proposal for a regulation Article 3 – paragraph 1 – point 2 (2) ‘remote data processing’ means any remote data processing
Amendment 226 #
Proposal for a regulation Article 3 – paragraph 1 – point 3 Amendment 227 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 Amendment 228 #
Proposal for a regulation Article 3 – paragraph 1 – point 4 a (new) (4a) ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;
Amendment 229 #
Proposal for a regulation Article 3 – paragraph 1 – point 6 (6) ‘software’ means the part of an electronic information system which consists of computer code, with exception of software relating to internet websites;
Amendment 230 #
Proposal for a regulation Article 3 – paragraph 1 – point 11 (11) ‘physical connection’ means any connection between electronic information systems or components implemented using physical means, including through electrical or mechanical interfaces
Amendment 231 #
Proposal for a regulation Article 3 – paragraph 1 – point 16 a (new) (16a) ‘micro, small and medium-sized enterprises’ or ‘SMEs’ means micro, small and medium-sized enterprises as defined in the Annex to Commission Recommendation 2003/361/EC;
Amendment 232 #
Proposal for a regulation Article 3 – paragraph 1 – point 18 (18) ‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or
Amendment 233 #
Proposal for a regulation Article 3 – paragraph 1 – point 21 a (new) (21a) 'consumer' means any natural person who, under the circumstances of this Regulation, is acting for purposes which are outside their trade, business, craft or profession.
Amendment 234 #
Proposal for a regulation Article 3 – paragraph 1 – point 21 a (new) (21a) ‘micro, small and medium sized enterprises’ means micro, small and medium sized enterprises as defined in Commission Recommendation 2003/361/EC1a; _________________ 1a Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (notified under document number C(2003) 1422) (OJ L 124, 20.5.2003, p. 36).
Amendment 235 #
Proposal for a regulation Article 3 – paragraph 1 – point 21 b (new) (21b) ‘provider of an online marketplace’ means a provider of an intermediary service using an online interface, which allows consumers to conclude distance contracts with traders for the sale of products;
Amendment 236 #
Proposal for a regulation Article 3 – paragraph 1 – point 26 Amendment 237 #
Proposal for a regulation Article 3 – paragraph 1 – point 31 (31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed, excluding security and maintenances updates that aim to mitigate vulnerabilities;
Amendment 238 #
Proposal for a regulation Article 3 – paragraph 1 – point 31 (31) ‘substantial modification’ means a change by the manufacturer to the product with digital elements following its placing on the market,
Amendment 239 #
Proposal for a regulation Article 3 – paragraph 1 – point 31 (31) ‘substantial modification’ means a change or a series of changes to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed;
Amendment 240 #
Proposal for a regulation Article 3 – paragraph 1 – point 34 a (new) (34a) ‘international standard’ means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;
Amendment 241 #
Proposal for a regulation Article 3 – paragraph 1 – point 34 b (new) (34b) ‘near miss’ means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;
Amendment 242 #
Proposal for a regulation Article 3 – paragraph 1 – point 34 c (new) (34c) ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;
Amendment 243 #
Proposal for a regulation Article 3 – paragraph 1 – point 36 a (new) (36a) ‘cyber threat’ means a cyber threat as defined in Article 2, point (10), of Regulation (EU) 2019/881;
Amendment 244 #
Proposal for a regulation Article 3 – paragraph 1 – point 36 b (new) (36b) ‘significant cyber threat’ means a significant cyber threat as defined in Article 2, point (11), of Regulation (EU) 2019/881;
Amendment 245 #
Proposal for a regulation Article 3 – paragraph 1 – point 37 (37) ‘software bill of materials’ or ‘SBOM’ means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;
Amendment 246 #
Proposal for a regulation Article 3 – paragraph 1 – point 39 (39) ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner; but does not include a vulnerability for which there is reliable evidence that the exploitation was performed by an actor for purposes of good faith testing, investigation, correction, or disclosure of a security flaw or vulnerability to promote the security or safety of the system owner, computers or software, or those who use such computers or software;
Amendment 247 #
Proposal for a regulation Article 3 – paragraph 1 – point 39 (39) ‘
Amendment 248 #
Proposal for a regulation Article 3 – paragraph 1 – point 39 – point a (new) a) ‘expected product lifetime’ means the lifetime a manufacturer documents in the information and instructions to the user defined in Annex II (8). For software it includes the iterated modifications within the version that was placed in the market.
Amendment 249 #
Proposal for a regulation Article 3 – paragraph 1 – point 39 a (new) (39a) ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;
Amendment 250 #
Proposal for a regulation Article 4 – paragraph 2 2.
Amendment 251 #
Proposal for a regulation Article 4 – paragraph 3 Amendment 252 #
Proposal for a regulation Article 4 – paragraph 3 3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation
Amendment 253 #
Proposal for a regulation Article 4 – paragraph 3 3. Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available in a non-production version for a limited period required for testing purposes, including software labelled as “beta,” “pre-release,” or “candidate", and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.
Amendment 254 #
Proposal for a regulation Article 4 – paragraph 3 a (new) 3a. This Regulation shall not prevent Member States from applying additional measures to products with digital elements provided that such measures are proportionate and aim to safeguard products, infrastructure or processed information and provided that those specific products are used for critical system functions or critical components deployed in sectors of high criticality as set out in Annex I to Directive (EU) 2022/2555.
Amendment 255 #
Proposal for a regulation Article 5 – paragraph 1 – point 1 (1) they meet the essential requirements set out in Section 1 of Annex I, under the condition that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and
Amendment 256 #
Proposal for a regulation Article 6 – paragraph 1 1. Products with digital elements that belong to a category which is listed in Annex III shall be considered critical products with digital elements.
Amendment 257 #
Proposal for a regulation Article 6 – paragraph 2 – introductory part 2.
Amendment 258 #
Proposal for a regulation Article 6 – paragraph 2 – introductory part 2. The Commission is empowered to adopt delegated acts in accordance with Article 50 to amend Annex III by including in the list of categories of critical products with digital elements a new category or withdrawing an existing one from that list. The Commission should carry out periodical checks to assess whether the list of critical products with digital elements needs to be integrated or updated. When assessing the need to amend the list in Annex III, the Commission shall take into account the level of cybersecurity risk related to the category of products with digital elements. In determining the level of cybersecurity risk, one or several of the following criteria shall be taken into account:
Amendment 259 #
Amendment 260 #
Proposal for a regulation Article 6 – paragraph 3 3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III.
Amendment 261 #
Proposal for a regulation Article 6 – paragraph 3 3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product categories under class I and class II as set out in Annex III. The delegated act shall be adopted [by
Amendment 262 #
Proposal for a regulation Article 6 – paragraph 3 3. The Commission is empowered to adopt a delegated act in accordance with Article 50 to supplement this Regulation by specifying the definitions of the product
Amendment 263 #
Proposal for a regulation Article 6 – paragraph 4 4. Critical products with digital elements shall be subject to the conformity assessment procedures referred to in Article 24(2) and (3). By exception, small and micro enterprises can use the procedure referred to in Article 24(2).
Amendment 264 #
Proposal for a regulation Article 6 – paragraph 5 Amendment 265 #
Proposal for a regulation Article 6 – paragraph 5 Amendment 266 #
Proposal for a regulation Article 6 – paragraph 5 – introductory part 5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by specifying categories of highly critical products with digital elements for which the manufacturers shall be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme at assurance level "high" pursuant to Regulation (EU) 2019/881 to demonstrate conformity with the essential requirements set out in Annex I, or parts thereof. When determining such categories of highly critical products with digital elements, the
Amendment 267 #
Proposal for a regulation Article 9 – paragraph 1 – subparagraph 1 (new) Internal networks of a machinery product with digital elements are not subject to this Regulation when they are secured via dedicated endpoints and isolated from external networks, and where the manufacturer assess and indicate the intended final use of the component for the sole internal operations and communication.
Amendment 268 #
Proposal for a regulation Article 10 – paragraph -1 (new) -1. Software manufacturers which qualify as a microenterprise as defined in Commission Recommendation 2003/361/EC shall make best efforts to comply with the requirements in this Regulation during the 12 months from placing a software on the market.
Amendment 269 #
Proposal for a regulation Article 10 – paragraph 1 1. When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I. Manufacturers may deviate from a requirement in justified cases if it does not apply due to the nature of the product. Manufacturers should document the justification in the cybersecurity risks assessment in accordance to paragraph 2.
Amendment 270 #
Proposal for a regulation Article 10 – paragraph 1 1. When placing a product with digital elements on the market, manufacturers shall ensure take reasonable measures that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.
Amendment 271 #
Proposal for a regulation Article 10 – paragraph 2 2. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a data connection to an external device or network of a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.
Amendment 272 #
Proposal for a regulation Article 10 – paragraph 4 4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements.
Amendment 273 #
Proposal for a regulation Article 10 – paragraph 4 4. For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in products with digital elements, including when they integrate components of open-source software that have not been supplied in the course of a commercial activity. They shall ensure that such components do not compromise the security of the product with digital elements.
Amendment 274 #
Proposal for a regulation Article 10 – paragraph 4 4. For the purposes of complying with the obligation laid down in paragraph 1,
Amendment 275 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market,
Amendment 276 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market, and for the expected product lifetime indicated by the manufacturer, or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.
Amendment 277 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market,
Amendment 278 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 Amendment 279 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 Amendment 280 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 Amendment 281 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 When placing a product with digital elements on the market, and for the expected product lifetime
Amendment 282 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 1 a (new) Manufacturers shall determine the expected product lifetime referred to in the first subparagraph of this paragraph taking into account the time users reasonably expect to be able to use the product given functionality and intended purpose and therefore can expect to receive security updates.
Amendment 283 #
Proposal for a regulation Article 10 – paragraph 6 – subparagraph 2 a (new) Manufacturers shall determine the expected product lifetime referred to in the first subparagraph of this paragraph, taking into account the time users reasonably expect to be able to use the product given its functionality and intended purpose, and therefore can expect to receive security updates.
Amendment 284 #
Proposal for a regulation Article 10 – paragraph 7 – subparagraph 1 Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 23. The technical documentation shall be made available by the manufacturers, to the market surveillance authorities or CSIRTs, upon justified request, for the purpose of specific supervisory tasks and incident handling set in this Regulation. Those authorities shall ensure the confidentiality and appropriate protection of the information provided in the technical documentation.
Amendment 285 #
Proposal for a regulation Article 10 – paragraph 8 8. Manufacturers shall keep the technical documentation and the EU declaration of conformity, where relevant, at the disposal of the market surveillance authorities for ten years, or for the expected product lifetime, whichever is longer, after the product with digital elements has been placed on the market.
Amendment 286 #
Proposal for a regulation Article 10 – paragraph 8 8. Manufacturers shall keep the technical documentation and the EU declaration of conformity,
Amendment 287 #
8. Manufacturers shall keep the technical documentation and the EU declaration of conformity,
Amendment 288 #
Proposal for a regulation Article 10 – paragraph 9 9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised or international standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified. Where new knowledge, techniques, or standards become available, which were not available at the time of design of a serial product, the manufacturer may consider implementing such improvements for future product generations. The manufacturer shall take into account the associated costs and efforts, including the efforts required for development, testing, validation and approval process time.
Amendment 289 #
Proposal for a regulation Article 10 – paragraph 9 9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised horizontal or domain specific standards, European cybersecurity certification schemes or the common specifications referred to in Article 19 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.
Amendment 290 #
Proposal for a regulation Article 10 – paragraph 9 9. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. The manufacturer shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital
Amendment 291 #
Proposal for a regulation Article 10 – paragraph 9 a (new) 9a. Manufacturers shall publicly communicate and advertise the expected product lifetime of their products, in a clear and understandable manner, and in particular, the minimal duration of the provision of security updates.
Amendment 292 #
Proposal for a regulation Article 10 – paragraph 10 10. Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions set out in Annex II, in an electronic or physical form. Such
Amendment 293 #
Proposal for a regulation Article 10 – paragraph 10 a (new) 10a. Manufacturers shall clearly and understandably specify in an easily accessible manner and where applicable on the packaging of the product with digital elements, the end date for the expected product lifetime as referred to in paragraph 6, including at least the month and year, until which the manufacturer will at least ensure the effective handling of vulnerabilities in accordance with the essential requirements set out in Section 2 of Annex I.
Amendment 294 #
Proposal for a regulation Article 10 – paragraph 10 a (new) 10a. Manufacturers shall clearly specify in an easily accessible manner, and where applicable, on the packaging of the product with digital elements, the end date for the expected product lifetime as referred to in paragraph 6, including at least the month and year, until which the manufacturer will at least ensure the effective handling of vulnerabilities in accordance with the essential requirements set out in Section 2 of Annex I.
Amendment 295 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for the expected product lifetime
Amendment 296 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for the expected product lifetime indicated by the manufacturer in accordance with paragraph 6 of this Article, or for a period of five years after the placing on the market of a product with digital elements, whichever is shorter, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
Amendment 297 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market and for the entire expected
Amendment 298 #
Proposal for a regulation Article 10 – paragraph 12 12. From the placing on the market
Amendment 299 #
Proposal for a regulation Article 10 – paragraph 13 a (new) 13a. For the purposes of complying with the obligations laid down in this Regulation, manufacturers shall ensure that they use adequate skilled professionals in the field of cybersecurity.
Amendment 300 #
Proposal for a regulation Article 10 – paragraph 15 15. The Commission may, by means of implementing acts, and following an open consultation with stakeholders and in line with international standards, specify the format and elements of the software bill of materials set out in Section 2, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 301 #
Proposal for a regulation Article 10 – paragraph 15 15. The Commission may, by means of
Amendment 302 #
Proposal for a regulation Article 10 – paragraph 15 15. The Commission may,
Amendment 303 #
Proposal for a regulation Article 10 – paragraph 15 15. The Commission may, by means of
Amendment 304 #
Proposal for a regulation Article 10 a (new) Article10a Reporting of vulnerabilities 1. The manufacturer shall, without undue delay, notify to CSIRT in the Member State of main establishment designated as a coordinator for the purposes of coordinated vulnerability disclosure in accordance with Article 12(1) of Directive 2022/2555 of Member States concerned any patched vulnerability contained in the product with digital elements and may voluntarily notify, where appropriate, also the unpatched vulnerability. The notification shall include details concerning that vulnerability and, where applicable, any corrective or mitigating measures taken, in particular regarding available patches. The mere act of notification of vulnerability shall not subject the notifying manufacturer to increased liability. CSIRT designated as a coordinator shall, without undue delay, unless for justified cybersecurity risk- related grounds, forward the notification to the upon receipt to ENISA and inform the market surveillance authorities concerned about the notified vulnerability. 2. The information about vulnerability shall be stored in a European vulnerability database referred to in Article 12(2) of Directive 2022/2555, maintained by ENISA. That database shall include: (a) information describing the vulnerability; (b) the affected product with digital elements and the severity of the vulnerability in terms of the circumstances under which it may be exploited; (c) the availability of related patches and, in the absence of available patches, guidance provided by the competent authorities or the CSIRTs addressed to users of vulnerable product with digital elements as to how the risks resulting from disclosed vulnerabilities can be mitigated. 3. Natural or legal persons shall be able to report, anonymously where they so request, a vulnerability of product with digital elements to the CSIRT designated as coordinator. The CSIRT designated as coordinator shall without undue delay notify the manufacturer, ensure that diligent follow-up action is carried out with regard to the reported vulnerability and shall ensure the anonymity of the natural or legal person reporting the vulnerability. Where the reporting concerns the manufacturer with main establishment in other Member State, the CSIRT designated as coordinator shall forward it to relevant CSIRT designated as coordinator in that Member State. Where a reported vulnerability could have a significant impact on entities in more than one Member State, the CSIRT designated as coordinator of each Member State concerned shall, where appropriate, cooperate with other CSIRTs designated as coordinators within the CSIRTs network.
Amendment 305 #
Proposal for a regulation Article 11 – title Reporting o
Amendment 306 #
Proposal for a regulation Article 11 – paragraph 1 Amendment 307 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any
Amendment 308 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product with digital elements. The notification shall include details concerning that vulnerability and,
Amendment 309 #
Proposal for a regulation Article 11 – paragraph 1 1. The manufacturer shall, without undue delay and in any event within 72
Amendment 310 #
Proposal for a regulation Article 11 – paragraph 1 a (new) 1a. 1a. Notifications as referred to in paragraph 1 shall be subject to the following procedure: (a) an early warning, without undue delay and in any event within 24 hours of the manufacturer becoming aware of the known exploited vulnerability, detailing whether any known corrective or mitigating measure is available; (b) a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the known exploited vulnerability, which, where applicable, updates the information referred to in point (a), details any corrective or mitigating measures taken and indicates an assessment of extent of the vulnerability, including its severity and impact; (c) an intermediate report on relevant status updates, upon the request of ENISA; (d) a final report, within one month after the submission of the vulnerability notification under point (b), including at least the following: (i) a detailed description of the vulnerability, including its severity and impact; (ii) where available, information concerning any actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability.
Amendment 311 #
Proposal for a regulation Article 11 – paragraph 1 a (new) 1a. Manufacturers shall submit to ENISA a vulnerability notification within 72 hours of becoming aware of the actively exploited vulnerability, which, where applicable, shall update the information that was given in the early warning, especially on the corrective or mitigating measures taken.
Amendment 312 #
Proposal for a regulation Article 11 – paragraph 1 b (new) 1b. Once a security update has been made available, or an appropriate corrective or mitigation measure has been implemented, ENISA shall add the notified vulnerability to the European vulnerability database referred to in Article 12 of Directive [Directive 2022/2555 (NIS2)].
Amendment 313 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall notify, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA its CSIRT in the Member State of main establishment of any incident tha
Amendment 314 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall,
Amendment 315 #
Proposal for a regulation Article 11 – paragraph 2 2. The manufacturer shall
Amendment 316 #
Proposal for a regulation Article 11 – paragraph 2 a (new) Amendment 317 #
Proposal for a regulation Article 11 – paragraph 2 a (new) 2a. An incident shall be considered to be significant if: (a) it has caused or is capable of causing severe operational disruption of the design, development, production or functioning of the product with digital elements or financial loss for the manufacturer concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material damage.
Amendment 318 #
Proposal for a regulation Article 11 – paragraph 2 a (new) 2a. Economic operators that are also identified as essential entities or important entities under the Directive [ Directive XXX.XXXX NIS2 ] and who submit their incident notification pursuant to the Directive [ Directive XXX.XXXX NIS2 ] should be deemed compliant with the requirements in point 2 of this Article. Moreover, an entity may only be fined once for non-compliance to overlapping reporting requirements.
Amendment 319 #
Proposal for a regulation Article 11 – paragraph 2 b (new) 2b. Notifications as referred to in paragraph 2 shall be subject to the following procedure: (a) an early warning, without undue delay and in any event within 24 hours of the manufacturer becoming aware of the significant incident, which, where applicable, indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact; (b) an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the significant incident, which, where applicable, updates the information referred to in point (a) and indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise; (c) an intermediate report on relevant status updates upon the request of ENISA; (d) a final report, within one month after the submission of the incident notification under point (b), including at least the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border impact of the incident; In the event of an ongoing incident at the time of the submission of the final report referred to in point (d) of the first subparagraph, Member States shall ensure that entities concerned provide a progress report at that time and a final report within one month of their handling of the incident.
Amendment 320 #
Proposal for a regulation Article 11 – paragraph 2 b (new) Amendment 321 #
Proposal for a regulation Article 11 – paragraph 2 c (new) 2c. CSIRT shall, without undue delay, unless for justified cybersecurity risk- related grounds, inform the market surveillance authority about the notified incidents and in the case of a cross-border significant incident forward the notifications to the single point of contact designated in accordance with Article 8(3) of Directive (EU) 2022/2555.
Amendment 322 #
Proposal for a regulation Article 11 – paragraph 3 3.
Amendment 323 #
Proposal for a regulation Article 11 – paragraph 3 a (new) 3a. ENISA shall publish and maintain a known exploited vulnerability catalogue that shall be included in the European vulnerability database established under Directive 2022/2555 (NIS2). The catalogue shall assist manufacturers in detecting known exploitable vulnerabilities and notify vulnerabilities found in their products.
Amendment 324 #
Proposal for a regulation Article 11 – paragraph 4 4.
Amendment 325 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the impacted users of the product with digital elements about the incident
Amendment 326 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the significant incident and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the significant incident.
Amendment 327 #
Proposal for a regulation Article 11 – paragraph 4 4. The manufacturer shall inform, without undue delay and after becoming aware, the users of the product with digital elements about the incident and, where necessary, about risk mitigation and any corrective measures that the user can deploy to mitigate the impact of the incident.
Amendment 328 #
Proposal for a regulation Article 11 – paragraph 4 a (new) 4a. The CSIRT shall provide, without undue delay and where possible within 24 of receiving the early warning referred to in paragraph 4, point (a), a response to the notifying entity, including initial feedback on the significant incident and, upon request of the entity may provide guidance or operational advice on the implementation of possible mitigation measures. The CSIRT may provide additional technical support if the manufacturer concerned so requests. Where the significant incident is suspected to be of criminal nature, the CSIRT shall provide guidance on reporting the significant incident to law enforcement authorities. CSIRTs may prioritise the processing of mandatory notifications over voluntary notifications, as well as processing of notifications related to critical products with digital elements over other products with digital elements.
Amendment 329 #
Proposal for a regulation Article 11 – paragraph 4 b (new) Amendment 330 #
Proposal for a regulation Article 11 – paragraph 4 c (new) 4c. Where appropriate, and in particular where the significant incident concerns two or more Member States, the CSIRT, the competent authority or the single point of contact shall inform, without undue delay, the other affected Member States and ENISA of the significant incident. Such information shall include the type of information received in accordance with paragraph 2b. In so doing, the CSIRT or the single point of contact shall, in accordance with Union or national law, preserve the entity’s security and commercial interests as well as the confidentiality of the information provided.
Amendment 331 #
Proposal for a regulation Article 11 – paragraph 4 d (new) 4d. Where public awareness is necessary to prevent a significant incident or to deal with an ongoing significant incident, or where disclosure of the significant incident is otherwise in the public interest, a Member State’s CSIRT or, where applicable, its competent authority, and, where appropriate, the CSIRTs or the competent authorities of other Member States concerned, may, after consulting the entity concerned, inform the public about the significant incident or require the entity to do so
Amendment 332 #
Proposal for a regulation Article 11 – paragraph 4 e (new) 4e. At the request of the CSIRT or the competent authority, the single point of contact shall forward notifications received pursuant to paragraph 1 to the single points of contact of other affected Member States.
Amendment 333 #
Proposal for a regulation Article 11 – paragraph 5 5. The Commission
Amendment 334 #
Proposal for a regulation Article 11 – paragraph 5 a (new) 5a. The Commission may adopt, after consulting stakeholders and CSIRTs Network, by means of implementing acts, further specifying further the type of information, format and the procedure of the a notifications and submitted pursuant to paragraphs 1 and 2 of this Article and of a information submitted pursuant to paragraph 4 of this Article and common notification templates for the single reporting under relevant EU law in accordance with Article 11a. Those implementing acts shall be based, where relevant, on European and international standards and shall be adopted in accordance with the examination procedure referred to in Article 51(2).
Amendment 335 #
Proposal for a regulation Article 11 – paragraph 7 7. Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability and the corrective or mitigating measure taken, to the person or entity maintaining the component.
Amendment 336 #
Proposal for a regulation Article 11 – paragraph 7 7. Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component. Software modifications in a component developed by manufacturers in order to address reported vulnerabilities shall be shared, including the relevant code, to the person or entity maintaining the component.
Amendment 337 #
Proposal for a regulation Article 11 – paragraph 7 a (new) 7a. ENISA shall establish a digital reporting mechanism, after having consulted relevant stakeholder groups, so that manufacturers are able to fulfil their reporting obligations via an Online Application.
Amendment 338 #
Proposal for a regulation Article 11 a (new) Article11a Single point of contact for users 1. Manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, where applicable by electronic means and in a user-friendly manner, including by allowing recipients of the service to choose the means of communication, which shall not solely rely on automated tools. 2. In addition to the obligations provided under Directive 2000/31/EC, manufacturers shall make public the information necessary for the end users in order to easily identify and communicate with their single points of contact. That information shall be easily accessible and shall be kept up to date.
Amendment 339 #
Proposal for a regulation Article 11 a (new) Article11a Single Entry Point For the purpose of simplifying reporting and of implementing the automatic and direct reporting and forwarding mechanism under Articles 10a and 11 this Regulation, Directive (EU) 2022/2555, and possibly under other relevant EU legislation, such as Regulation (EU) 2016/679, Member States shall establish and use a single entry point.
Amendment 340 #
Proposal for a regulation Article 12 – paragraph 1 1. A manufacturer may appoint an authorised representative(s) for all Member States markets or for specific Member States by a written mandate.
Amendment 341 #
Proposal for a regulation Article 13 – paragraph 2 – point c a (new) (ca) Non-technical risk factors of the manufacturer are taken into consideration for critical products described in Class II of Annex III intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
Amendment 342 #
Proposal for a regulation Article 13 – paragraph 2 – point c a (new) (ca) all the documents proving the fulfilment of the requirements set in this article have been received from the manufacturer and are available for inspection.
Amendment 343 #
Proposal for a regulation Article 13 – paragraph 3 3. Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in
Amendment 344 #
Proposal for a regulation Article 13 – paragraph 6 – subparagraph 1 Importers who know or have reason to believe that a product with digital elements, which they have placed on the market, or the processes put in place by its manufacturer, are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity with the essential requirements set out in Annex I, or to withdraw or recall the product, if appropriate. Based on a risk assessment, distributors and end users shall be timely informed of the lack of compliance and the risk mitigation measures they can take.
Amendment 345 #
Proposal for a regulation Article 13 – paragraph 6 – subparagraph 1 Importers who know or have reason to believe that a product with digital elements, which they have placed on the market, or the processes put in place by its manufacturer, are not in conformity with the essential requirements set out in Annex I or non-technical risk factors shall immediately take the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity with the essential requirements set out in Annex I, or to withdraw or recall the product, if appropriate.
Amendment 346 #
Proposal for a regulation Article 13 – paragraph 6 – subparagraph 1 Importers who know or have reason to believe that a product with digital elements, which they have placed on the market, or the processes put in place by its manufacturer, are not in conformity with the essential requirements set out in Annex I shall immediately require the manufacturer to take the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity with the essential requirements set out in Annex I, or to withdraw or recall the product, if appropriate.
Amendment 347 #
Proposal for a regulation Article 13 – paragraph 6 – subparagraph 2 Upon identifying a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability.
Amendment 348 #
Proposal for a regulation Article 13 – paragraph 6 – subparagraph 2 a (new) Upon receiving information from the manufacturer that the product with digital elements presents a significant cybersecurity risk, giving details, in particular, of the non-conformity and of any corrective measures taken, importers shall immediately forward this information to the market surveillance authorities of the Member States in which they made the product with digital elements available on the market to that effect.
Amendment 349 #
Proposal for a regulation Article 14 – paragraph 2 – point b a (new) (ba) Non-technical risk factors of the manufacturer are taken into consideration for critical products described in Class II of Annex III intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
Amendment 350 #
Proposal for a regulation Article 14 – paragraph 2 – point b a (new) (ba) they have received from the importer all the information and documentation required by this regulation.
Amendment 351 #
Proposal for a regulation Article 14 – paragraph 3 3. Where a distributor considers or has reason to believe that a product with digital
Amendment 352 #
Proposal for a regulation Article 14 – paragraph 4 – subparagraph 1 Distributors who know or have reason to believe that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with the essential requirements set out in Annex I shall
Amendment 353 #
Proposal for a regulation Article 14 – paragraph 4 – subparagraph 2 Upon identifying a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability.
Amendment 354 #
Proposal for a regulation Article 14 – paragraph 4 – subparagraph 2 Upon identifying a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk including on the basis of non-technical risk factors, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-conformity and of any corrective measures taken.
Amendment 355 #
Proposal for a regulation Article 14 – paragraph 4 – subparagraph 2 a (new) Upon receiving information from the manufacturer that the product with digital elements presents a significant cybersecurity risk, giving details, in particular, of the non-conformity and of any corrective measures taken, distributors shall immediately forward this information to the market surveillance authorities of the Member States in which they made the product with digital elements available on the market to that effect.
Amendment 356 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes the product available on the market, shall be considered a manufacturer for the purposes of this Regulation.
Amendment 357 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and commercially supplies it in the market, shall be considered a manufacturer for the purposes of this
Amendment 358 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements, with the intention of making a profit, shall be considered a manufacturer for the purposes of this Regulation.
Amendment 359 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes it available on the market shall be considered a manufacturer for the purposes of this Regulation.
Amendment 360 #
Proposal for a regulation Article 16 – paragraph 1 A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements, making it available on the market, shall be considered a manufacturer for the purposes of this Regulation.
Amendment 361 #
Proposal for a regulation Article 17 – paragraph 1 – introductory part 1. Economic operators shall, on request
Amendment 362 #
Proposal for a regulation Article 17 a (new) Amendment 363 #
Proposal for a regulation Article 18 – paragraph 1 1. Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union shall be presumed to be in conformity with the essential requirements covered by those standards or parts thereof, set out in Annex I. The Commission shall in accordance with Article 10(1) of Regulation (EU) 1025/2012 request one or more European standardisation organisations to draft harmonised standards for the essential requirements set out in Annex I. When preparing the Standardisation Request for this Regulation, the Commission shall aim for maximum harmonisation with existing or imminent international standards for cybersecurity.
Amendment 364 #
Proposal for a regulation Article 18 – paragraph 1 a (new) 1a. Products with digital elements and processes put in place by the manufacturer which are in conformity with international standards or parts thereof shall be presumed to be in conformity with the essential requirements covered by those standards or parts thereof, set out in Annex I, where harmonised standards referred to in paragraph 1 of this Article do not exist or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations.
Amendment 365 #
Proposal for a regulation Article 18 – paragraph 2 Amendment 366 #
Proposal for a regulation Article 18 – paragraph 4 4. The Commission is empowered, by means of implementing acts, to specify the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 t
Amendment 367 #
Proposal for a regulation Article 19 Amendment 368 #
Proposal for a regulation Article 19 – paragraph 1 Amendment 369 #
Proposal for a regulation Article 19 – paragraph 1 Where harmonised standards referred to in Article 18 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, as a last resort the Commission is empowered, by means of
Amendment 370 #
Proposal for a regulation Article 19 – paragraph 1 Where harmonised standards referred to in Article 18 do not exist or where the Commission considers that the relevant harmonised standards are insufficient to satisfy the requirements of this Regulation or to comply with the standardisation request of the Commission, or where there are undue delays in the standardisation procedure or where the request for harmonised standards by the Commission has not been accepted by the European standardisation organisations, the Commission is empowered, by means of
Amendment 371 #
Proposal for a regulation Article 23 – paragraph 2 2. The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, during the expected product lifetime
Amendment 372 #
Proposal for a regulation Article 23 – paragraph 2 2. The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, during the expected product lifetime or during a period of five years after the placing on the market of a product with digital elements, whichever is
Amendment 373 #
Proposal for a regulation Article 23 – paragraph 5 5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the
Amendment 374 #
Proposal for a regulation Article 23 – paragraph 5 5. The Commission is empowered to adopt delegated acts in accordance with Article 50 to supplement this Regulation by the elements to be included in the technical documentation set out in Annex V to take account of technological developments, of the dimension of economic operators with particular regard to micro, small and medium sized enterprises, as well as developments encountered in the implementation process of this Regulation.
Amendment 375 #
Proposal for a regulation Article 24 – paragraph 1 – point c a (new) (ca) a European cybersecurity certification scheme adopted as per Regulation (EU) 2019/881 in accordance with paragraph 4 of Article 18.
Amendment 376 #
Proposal for a regulation Article 24 – paragraph 2 – introductory part 2. Where, in assessing the compliance of the critical product with digital elements of class I as set out in Annex III and the processes put in place by its manufacturer with the essential requirements set out in Annex I, the manufacturer or the manufacturer’s authorised representative has not applied or has applied only in part harmonised standards, common specifications or European cybersecurity certification schemes as referred to in Article 18, or where such harmonised standards, common specifications or European cybersecurity certification schemes or international standards do not exist, the product with digital elements concerned and the processes put in place by the manufacturer shall be submitted with regard to those essential requirements to either of the following procedures:
Amendment 377 #
Proposal for a regulation Article 24 – paragraph 2 – point b a (new) (ba) where applicable, a European cybersecurity certification scheme at assurance level ‘substantial’ or ‘high’ pursuant to Regulation (EU) 2019/881.
Amendment 378 #
Proposal for a regulation Article 24 – paragraph 3 – introductory part 3. Where the product is a critical product with digital elements of class II as set out in Annex III, the manufacturer or the manufacturer’s authorised representative shall demonstrate conformity with the essential requirements set out in Annex I by acquiring a cybersecurity certificate issued by a European authority, under the European cybersecurity certification scheme and at assurance level "high" as listed in the Regulation (EU) 2019/881. For products with digital elements for which a European cybersecurity certification scheme does not exist or covers them only partially, the manufacturer or the manufacturer’s authorised representative shall demonstrate conformity with the essential requirements set out in Annex I by using one of the following procedures:
Amendment 379 #
Proposal for a regulation Article 24 – paragraph 3 – introductory part 3. Where the product is a critical product with digital elements of class II as set out in Annex III, the manufacturer or the manufacturer’s authorised representative shall demonstrate conformity with the essential requirements set out in Annex I obtaining a European cybersecurity certificate, under a European cybersecurity certification scheme at assurance level ‘high’ pursuant to Regulation (EU) 2019/881. Where such European cybersecurity certification schemes do not exist or only cover parts of the critical product with digital elements, the concerned critical product and the processes put in place by the manufacturer shall demonstrate those essential requirements by using one of the following procedures:
Amendment 380 #
Proposal for a regulation Article 24 – paragraph 3 – point b a (new) (ba) ENISA shall prepare the missing candidate schemes in order to cover all products listed in Annex III, in accordance with Article 48 of the (EU) 2019/881 Regulation.
Amendment 381 #
Proposal for a regulation Article 24 – paragraph 3 a (new) 3a. In accordance with Article 48 of Regulation (EU) 2019/881, the Commission shall request ENISA to prepare the missing candidate schemes with the view of fully covering all the products listed in Annex III.
Amendment 382 #
Proposal for a regulation Article 24 – paragraph 5 5. Notified bodies shall take into account the specific interests and needs of micro, small and medium sized enterprises (SMEs) when setting the fees for conformity assessment procedures and reduce those fees proportionately to their specific interests and needs. The Commission shall take appropriate measures to ensure more accessible and affordable procedures, such as establishing a framework for providing appropriate financial support and guidance for the notified bodies.
Amendment 383 #
Proposal for a regulation Article 24 – paragraph 5 5. Notified bodies shall take into
Amendment 384 #
Proposal for a regulation Article 24 – paragraph 5 5. Notified bodies shall take into account the specific interests and needs of
Amendment 385 #
Proposal for a regulation Article 24 – paragraph 5 5. Notified bodies shall take into account the specific interests and needs of micro, small and medium sized enterprises
Amendment 386 #
Proposal for a regulation Article 25 – paragraph 1 Member States shall notify the Commission and the other Member States of conformity assessment bodies authorised to carry out conformity assessments in accordance with this Regulation. Member States and the Commission shall put in place appropriate measures to ensure sufficient availability of skilled professionals, in order to minimise bottlenecks in the activities pursuant to articles 26 to 31.
Amendment 387 #
Proposal for a regulation Article 28 – paragraph 1 a (new) 1a. The Commission shall, within 24 months from the entry into force of this Regulation, ensure that there is a sufficient number of notified bodies in the Union to carry out a conformity assessment, in order to avoid bottlenecks and hindrances to market entry.
Amendment 388 #
Proposal for a regulation Article 29 – paragraph 7 – point c (c) appropriate knowledge and understanding of the essential requirements set out in Annex I, of the applicable harmonised standards and of the relevant provisions of Union harmonisation legislation and of its implementing acts;
Amendment 389 #
Proposal for a regulation Article 29 – paragraph 7 a (new) 7a. Member States shall put in place appropriate measures to ensure sufficient availability of skilled professionals, in order to minimise bottlenecks in the assessment activities and facilitate the compliance of economic operators to this Regulation.
Amendment 390 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of
Amendment 391 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of
Amendment 392 #
Proposal for a regulation Article 29 – paragraph 12 12. Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions in line with Article 37(2), in particular taking into account the interests of SMEs in relation to fees.
Amendment 393 #
Proposal for a regulation Article 37 – paragraph 2 2. Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity and the risk exposure of the product type and technology in question and the mass or serial nature of the production process.
Amendment 394 #
Proposal for a regulation Article 37 – paragraph 4 4. Where a notified body finds that requirements laid down in Annex I or in corresponding harmonised standards or in international standards or in common specifications as referred to in Article 19 have not been met by a manufacturer, it shall require that manufacturer to take appropriate corrective measures and shall not issue a conformity certificate.
Amendment 395 #
3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis.
Amendment 396 #
Proposal for a regulation Article 41 – paragraph 3 3. Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated under Article 58 of Regulation (EU) 2019/881, competent authorities and CSIRTs designated under Articles 8 and 10 of Directive (EU) 2022/2555 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Articles 10a and 11 of this Regulation, the designated market surveillance authorities shall cooperate with CSIRTs and ENISA.
Amendment 397 #
Proposal for a regulation Article 41 – paragraph 3 a (new) 3a. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 11 of this Regulation, the designated market surveillance authorities shall cooperate with ENISA. The market surveillance authorities may request ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation. When conducting an investigation under Article 43, market surveillance authorities may request ENISA to provide non-binding evaluations of compliance of products with digital elements.
Amendment 398 #
Proposal for a regulation Article 41 – paragraph 6 6. Member States shall ensure that the designated market surveillance authorities are provided with adequate financial and human resources, with appropriate cybersecurity skills, in order to fulfil their tasks under this Regulation.
Amendment 399 #
Proposal for a regulation Article 41 – paragraph 8 8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, including on non-technical risk factors, with the support of the Commission.
Amendment 400 #
Proposal for a regulation Article 41 – paragraph 8 8. Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of CSIRTS, ENISA and the Commission.
Amendment 401 #
Proposal for a regulation Article 41 – paragraph 8 a (new) 8a. Market surveillance authorities may publish statistics about the average expected product lifetime, as specified by the manufacturer pursuant to article 10 (10a), per category of products with digital elements.
Amendment 402 #
Proposal for a regulation Article 41 – paragraph 9 a (new) 9a. The Commission shall evaluate the reported data, including the for the purpose of report referred to in Article 41(9). Where the reported data suggest an increased level of non-compliance in specific categories of products, the Commission, after consulting the Expert Group and ADCO, may recommend that all surveillance authorities focus closely on the product categories concerned.
Amendment 403 #
Proposal for a regulation Article 41 – paragraph 11 11. A dedicated administrative cooperation group (ADCO) for cyber resilience of products with digital elements shall be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. This ADCO shall be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of single liaison offices. In particular, this ADCO shall exchange best practices and, where relevant, cooperate with Cyber Resilience Expert Group, ENISA, Cooperation Group and CSITs Network.
Amendment 404 #
Proposal for a regulation Article 41 – paragraph 11 a (new) 11a. Market surveillance authorities shall facilitate the active participation of stakeholders in market surveillance activities, including scientific, research and consumer organisations, by establishing a clear and accessible mechanism to facilitate the voluntary reporting of vulnerabilities, incidents, and cyber threats.
Amendment 405 #
Proposal for a regulation Article 41 a (new) Amendment 406 #
Proposal for a regulation Article 41 a (new) Article41a Civil society participation in market surveillance activities The active participation of the relevant actors of the civil society (consumers’ organizations, the scientific community, trade unions, etc.) in market surveillance activities, shall be ensured by market surveillance authorities in the Member States and at EU level, in order to create mechanisms to facilitate the voluntary reporting of vulnerabilities, incidents, and cyber threats.
Amendment 407 #
Where the market surveillance authority of a Member State has sufficient reasons to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity or strategic risk, it shall carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation, including non- technical risk factors. The relevant economic operators shall cooperate as necessary with the market surveillance authority.
Amendment 408 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 1 Where the market surveillance authority of a Member State has sufficient reasons to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall carry out, where appropriate in cooperation with CSIRT, an evaluation of the product with digital
Amendment 409 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 1 Where the market surveillance authority of a Member State has sufficient reasons to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall carry out without undue delay an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate as necessary with the market surveillance authority.
Amendment 410 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 2 Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in
Amendment 411 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 2 Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation or present threat to national security, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the product into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.
Amendment 412 #
Proposal for a regulation Article 43 – paragraph 1 – subparagraph 2 Where, in the course of that evaluation, the
Amendment 413 #
Proposal for a regulation Article 43 – paragraph 4 – subparagraph 1 Where the manufacturer of a product with digital elements does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, or where the relevant Member State authority consider product to present threat to national security, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product being made available on its national market, to withdraw it from that market or to recall it.
Amendment 414 #
Proposal for a regulation Article 43 – paragraph 5 – point b (b) shortcomings in the harmonised
Amendment 415 #
Proposal for a regulation Article 43 – paragraph 7 7. Where, within three months of receipt of the information referred to in paragraph 4, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. The decision referred to in paragraph 1 of this Article, concerning threat to national security, shall always be deemed justified. This is without prejudice to the procedural rights of the operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.
Amendment 416 #
Proposal for a regulation Article 44 – paragraph 5 Amendment 417 #
Proposal for a regulation Article 45 – paragraph 1 1. Where the Commission has sufficient reasons to consider, including based on information provided by the competent authorities of Member States, CSIRTs designated in accordance with Directive (EU) 2022/2555 or ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it may request the relevant market surveillance authorities to carry out an evaluation of compliance and follow the procedures referred to in Article 43.
Amendment 418 #
Proposal for a regulation Article 45 – paragraph 1 1. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA or non-technical risk factors, that a product with digital elements that presents a significant cybersecurity risk is non- compliant with the requirements laid down in this Regulation, it may request the
Amendment 419 #
Proposal for a regulation Article 45 – paragraph 1 1. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk is non-compliant with the requirements laid down in this Regulation, it
Amendment 420 #
Proposal for a regulation Article 45 – paragraph 2 2. In exceptional circumstances which justify an immediate intervention to preserve the good functioning of the internal market and where the Commission has sufficient reasons to consider that the product referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation, including on the basis of non-technical risk factors, and no effective measures have been taken by the relevant market surveillance authorities, the Commission may request ENISA to carry out an evaluation of compliance. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate as necessary with ENISA.
Amendment 421 #
Proposal for a regulation Article 45 – paragraph 2 2. In exceptional circumstances which justify an immediate intervention to
Amendment 422 #
Proposal for a regulation Article 45 – paragraph 2 2. In
Amendment 423 #
Proposal for a regulation Article 45 – paragraph 3 3. Based on
Amendment 424 #
Proposal for a regulation Article 46 – paragraph 1 1. Where, having performed an evaluation under Article 43, the market surveillance authority of a Member State finds that although a product with digital elements and the processes put in place by the manufacturer are in compliance with this Regulation, they present a significant cybersecurity risk and, in addition, they pose a risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights, the availability authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities of the type referred to in [Annex I to Directive XXX / XXXX (NIS2)] or to other aspects of public interest protection, it shall require the relevant economic operator to take all appropriate measures to ensure that the
Amendment 425 #
Proposal for a regulation Article 46 – paragraph 2 2. The manufacturer or other relevant economic operators shall ensure that corrective action is taken in respect of the products with digital elements concerned that they have made available on the market throughout the Union within the timeline established by the market surveillance authority of the Member State referred to in paragraph 1.
Amendment 426 #
Proposal for a regulation Article 46 – paragraph 6 6. Where the Commission has sufficient reasons to consider, including based on information provided by ENISA, that a product with digital elements, although compliant with this Regulation,
Amendment 427 #
Proposal for a regulation Article 46 – paragraph 7 7. In
Amendment 428 #
Proposal for a regulation Article 46 – paragraph 8 8. Based on ENISA’s evaluation referred to in paragraph 7, the Commission
Amendment 429 #
Proposal for a regulation Article 48 – paragraph 2 2. The Commission or ENISA
Amendment 430 #
Proposal for a regulation Article 49 – paragraph 1 1. Market surveillance authorities
Amendment 431 #
Proposal for a regulation Article 49 – paragraph 2 2. Unless otherwise agreed upon by the market surveillance authorities involved, sweeps shall be coordinated by the Commission. The coordinator of the sweep
Amendment 432 #
Proposal for a regulation Article 49 – paragraph 3 3. ENISA
Amendment 433 #
Proposal for a regulation Article 49 – paragraph 4 4. When conducting sweeps, the market surveillance authorities involved
Amendment 434 #
Proposal for a regulation Article 49 – paragraph 5 5. Market surveillance authorities
Amendment 435 #
Proposal for a regulation Article 49 a (new) Amendment 436 #
Proposal for a regulation Article 49 a (new) Article49a Right to compensation for damage or loss Consumers suffering damage or loss caused by infringements of the obligations under this Regulation by the relevant economic operators, have the right to seek compensation, in accordance with Union and national law.
Amendment 437 #
Proposal for a regulation Article 50 – paragraph 2 2. The power to adopt delegated acts referred to in Article 2(4), Article 6(2), Article 6(3), Article 6(5), Article 10 (15), Article 11(5), Article 19 (1), Article 20(5), and Article 23(5) shall be conferred on the Commission.
Amendment 438 #
Proposal for a regulation Article 50 – paragraph 3 3. The delegation of power referred to in Article 2(4), Article 6(2), Article 6(3), Article 6(5), Article 10(15), Article 11 (5), Article 19(1), Article 20(5), and Article 23(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 439 #
Proposal for a regulation Article 50 – paragraph 4 4. Before adopting a delegated act, the Commission shall launch a public consultation and consult experts designated by each Member State in accordance with principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making.
Amendment 440 #
Proposal for a regulation Article 50 – paragraph 6 a (new) 6a. When exercising the power of delegation, the Commission shall conduct public consultations and engage in regular dialogue with economic operators, in order to collect evidence and evaluate market implications of including or withdrawing categories of products in the scope of this Regulation.
Amendment 441 #
Proposal for a regulation Article 50 – paragraph 6 a (new) 6a. The Commission shall conduct thorough public consultations and engage in regular and structured dialogue with economic operators to gather evidence and evaluate market implications of including or withdrawing categories of products in scope.
Amendment 442 #
Proposal for a regulation Article 51 – paragraph 3 a (new) 3a. The Committee shall conduct thorough public consultations and engage in regular and structured dialogue with economic operators to gather evidence and evaluate market implications of including or withdrawing categories of products in scope.
Amendment 443 #
Proposal for a regulation Article 52 – paragraph 1 – point a (a) intellectual property rights
Amendment 444 #
Proposal for a regulation Article 53 – paragraph 1 1. Member States shall lay down the rules on penalties applicable to infringements by economic operators of this Regulation and shall take all measures necessary to ensure that they are enforced. The penalties provided for shall be effective, proportionate and dissuasive. These rules shall take into account the financial capabilities of micro, small and medium-sized enterprises.
Amendment 445 #
Proposal for a regulation Article 53 – paragraph 6 – point a a (new) (aa) the type of manufactured product and whether entity qualifies as microenterprise for the specific compliance regime outlined in the Article 10(-1) of this Regulation.
Amendment 446 #
Proposal for a regulation Article 53 – paragraph 6 – point b a (new) (ba) whether the manufacturer is SME, with particular attention payed to micro enterprises and start-ups, and whether adequate advice and/or financial support has been provided to them to ensure their compliance with this Regulation;
Amendment 447 #
Proposal for a regulation Article 53 – paragraph 6 – point c (c) the size and market share of the operator committing the infringement, taking into account the scale of risks, consequences and financial specificities of micro, small and medium-sized enterprises.
Amendment 448 #
Proposal for a regulation Article 53 a (new) Article53a Allocation of penalties Member States shall determine the use of revenues generated from the payments of penalties. At least 50% of the revenues generated from the payments of penalties referred to in Article 53 (1) should be earmarked for one or more of the following: (i) increasing the number of skilled professionals in the field of cybersecurity, notably of women; (ii) capacity-building for micro, small and medium sized enterprises in order to facilitate their compliance with this Regulation; (iii) improving public awareness of cyber threats, with particular regard to their prevention and management;
Amendment 449 #
Proposal for a regulation Article 55 – paragraph 2 a (new) 2a. Products with digital elements included in Annex III when placed on the market may meet the conformity assessment requirements under Chapter III by applying the procedure of Article 24 paragraph 1 for a period of 24 months after the date of application of this Regulation as defined in Article 57.
Amendment 450 #
Proposal for a regulation Article 55 – paragraph 3 3. By way of derogation from paragraph 2, the obligations laid down in Article 11 shall apply to all products with digital elements within the scope of this Regulation that have been placed on the market
Amendment 451 #
Proposal for a regulation Article 55 – paragraph 3 a (new) 3a. 4 (new) By way of derogation, for products with digital elements falling in scope of Regulation (Machinery Regulation proposal) or Regulation (EU) 167/2013 of the European Parliament and of the Council, the application date referred to art. 57 is extended by (36 months).
Amendment 452 #
Proposal for a regulation Article 55 – paragraph 3 b (new) 3b. By way of derogation for products with digital elements falling in scope of Regulation (Machinery Regulation proposal) or Regulation 2013/167, where the annual new sales in the EU of each type are fewer than (1000) units, the application date referred to art. 57 is extended by (60 months).
Amendment 453 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from
Amendment 454 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 455 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 456 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 457 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 458 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [32
Amendment 459 #
Proposal for a regulation Article 57 – paragraph 2 It shall apply from [
Amendment 460 #
Proposal for a regulation Article 57 – paragraph 2 a (new) By way of derogation, for products with digital elements falling in scope of Regulation [Machinery Regulation] or Regulation 2013/167, the application date referred to in paragraph 2 is extended by [36 months] or, if annual new sales of each product model in the EU are fewer than 1000 units by [60 months]
Amendment 461 #
Proposal for a regulation Annex I – Part 1 – point 2 Amendment 462 #
Proposal for a regulation Annex I – Part 1 – point 2 Amendment 463 #
Proposal for a regulation Annex I – Part 1 – point 2 (2) Products with digital elements shall be delivered without any known exploitable vulnerabilities which the manufacturer knows of, unless a manufacturer ensures that there are updates available which remedy this vulnerability and these are run automatically at the first time of use of the product;
Amendment 464 #
Proposal for a regulation Annex I – Part 1 – point 3 – introductory part (3) On the basis of the cybersecurity risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall:
Amendment 465 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a (a)
Amendment 466 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a (a) be delivered with a secure by default configuration, including the possibility to reset the product to its original state, while safeguarding its security;
Amendment 467 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a a (new) (aa) be placed on the market with functional separation of security updates from functionality updates, to allow automatic installation of security updates, with a clear and easy-to-use opt-out mechanism, and preserve user choice on functionalities unless technically unfeasible.
Amendment 468 #
(aa) (-a) be placed on the market without any known exploitable vulnerabilities described in the European vulnerability database referred to in Article 12(2) of Directive 2022/2555;
Amendment 469 #
Proposal for a regulation Annex I – Part 1 – point 3 – point a a (new) (aa) be placed on the market without any known exploitable vulnerabilities towards an external device or network.
Amendment 470 #
Proposal for a regulation Annex I – Part 1 – point 3 – point b (b) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems
Amendment 471 #
Proposal for a regulation Annex I – Part 1 – point 3 – point c (c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other,
Amendment 472 #
Proposal for a regulation Annex I – Part 1 – point 3 – point d (d) protect the integrity of stored, transmitted or otherwise processed data,
Amendment 473 #
Proposal for a regulation Annex I – Part 1 – point 3 – point f (f) protect the availability of essential functions,
Amendment 474 #
Proposal for a regulation Annex I – Part 1 – point 3 – point f (f) protect the availability of essential and basic functions, including the resilience against and mitigation of denial of service attacks;
Amendment 475 #
Proposal for a regulation Annex I – Part 1 – point 3 – point j (j) provide security related information by providing at user request recording and/or monitoring capabilities, locally and at device level for relevant internal activity, including the access to or modification of data, services or functions;
Amendment 476 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k (k)
Amendment 477 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k (k) ensure that vulnerabilities can be addressed through
Amendment 478 #
Proposal for a regulation Annex I – Part 1 – point 3 – point k a (new) (ka) be designed, developed and produced in order to allow for its secure discontinuation and potential recycling when reaching the end of the life cycle, including by allowing users to securely withdraw and remove all data on a permanent basis.
Amendment 479 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – introductory part Amendment 480 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 1 (1) identify and document vulnerabilities and components contained in the product,
Amendment 481 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 1 (1) identify and document
Amendment 482 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 2 (2) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where the above described is not possible in case of business-to-business products with digital elements, the procedure for handling of vulnerabilities may be set in the individual contractual arrangements;
Amendment 483 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 2 (2) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities with
Amendment 484 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 4 (4) once a security update has been made available, share and publically disclose information about fixed vulnerabilities, in
Amendment 485 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 4 (4) once a security update has been made available, publically disclose information about fixed vulnerabilities,
Amendment 486 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 7 (7) provide for mechanisms to securely distribute security updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner;
Amendment 487 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 8 (8) ensure that, where security patches or updates are available to address identified security issues, they are disseminated without delay and for consumer products with digital elements free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken; in case of business-to- business products with digital elements the procedures for patching and updating may be set in the individual contractual arrangements.
Amendment 488 #
Proposal for a regulation Annex I – Part 2 – paragraph 1 – point 8 (8) ensure that, where security patches or updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between the parties, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.
Amendment 489 #
Proposal for a regulation Annex II – paragraph 1 – point 1 1. the name, registered trade name or registered trade mark of the manufacturer,
Amendment 490 #
Proposal for a regulation Annex II – paragraph 1 – point 2 2. the single point of contact where information about cybersecurity vulnerabilities of the product can be reported and received;
Amendment 491 #
Proposal for a regulation Annex II – paragraph 1 – point 5 Amendment 492 #
Proposal for a regulation Annex II – paragraph 1 – point 6 Amendment 493 #
Proposal for a regulation Annex II – paragraph 1 – point 6 6. if and, where applicable, where the software bill of materials can be accessed
Amendment 494 #
Proposal for a regulation Annex II – paragraph 1 – point 6 6. if and, where applicable, where the software bill of materials can be accessed by the competent authorities;
Amendment 495 #
8. the type of technical security support
Amendment 496 #
Proposal for a regulation Annex II – paragraph 1 – point 9 – point c a (new) (ca) the expected product lifetime and until when the manufacturer ensures the effective handling of vulnerabilities and provision of security updates.
Amendment 497 #
Proposal for a regulation Annex III – Part I – point 3 3.
Amendment 498 #
Proposal for a regulation Annex III – Part I – point 3 a (new) 3a. Authentication, Authorization and Accounting (AAA) platforms.
Amendment 499 #
Proposal for a regulation Annex III – Part I – point 13 13. Remote access
Amendment 500 #
Proposal for a regulation Annex III – Part I – point 15 15. Physical and virtual network interfaces;
Amendment 501 #
Proposal for a regulation Annex III – Part I – point 15 15. Physical and virtual network interfaces;
Amendment 502 #
Proposal for a regulation Annex III – Part I – point 16 16. Operating systems
Amendment 503 #
Proposal for a regulation Annex III – Part I – point 16 16. Operating systems
Amendment 504 #
Proposal for a regulation Annex III – Part I – point 17 17. Firewalls, Security Gateways, intrusion detection and/or prevention systems not covered by class II;
Amendment 505 #
Proposal for a regulation Annex III – Part I – point 17 17. Firewalls, intrusion detection and/or prevention systems
Amendment 506 #
Proposal for a regulation Annex III – Part I – point 18 Amendment 507 #
Proposal for a regulation Annex III – Part I – point 18 Amendment 508 #
Proposal for a regulation Annex III – Part I – point 18 18. Routers, modems intended for the connection to the internet,
Amendment 509 #
Proposal for a regulation Annex III – Part I – point 18 18. Routers, modems intended for the connection to the internet, and switches
Amendment 510 #
Proposal for a regulation Annex III – Part I – point 19 Amendment 511 #
Proposal for a regulation Annex III – Part I – point 19 19. Microprocessors
Amendment 513 #
Proposal for a regulation Annex III – Part I – point 22 22. Industrial Automation & Control Systems (IACS)
Amendment 514 #
Proposal for a regulation Annex III – Part I – point 23 23. Industrial products with digital elements that can be referred as part of Internet of Things not covered by class II.
Amendment 515 #
Proposal for a regulation Annex III – Part I – point 23 23. Industrial Internet of Things
Amendment 516 #
Proposal for a regulation Annex III – Part I – point 23 a (new) Amendment 517 #
Proposal for a regulation Annex III – Part I – point 23 a (new) 23a. Operating systems for servers, desktops, and mobile devices;
Amendment 518 #
Proposal for a regulation Annex III – Part I – point 23 b (new) 23b. Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments;
Amendment 519 #
Proposal for a regulation Annex III – Part I – point 23 c (new) 23c. Public key infrastructure and digital certificate issuers;
Amendment 520 #
Proposal for a regulation Annex III – Part I – point 23 d (new) 23d. Secure elements;
Amendment 521 #
Proposal for a regulation Annex III – Part I – point 23 e (new) 23e. Hardware Security Modules (HSMs);
Amendment 522 #
Proposal for a regulation Annex III – Part I – point 23 f (new) 23f. Secure crypto processors;
Amendment 523 #
Proposal for a regulation Annex III – Part I – point 23 g (new) 23g. Smartcards, smartcard readers and tokens;
Amendment 524 #
Proposal for a regulation Annex III – Part I – point 23 h (new) 23h. Industrial Internet of Things devices intended for the use by essential entities of the type referred to in [Annex I to the Directive XXX/XXXX (NIS2)];
Amendment 525 #
Proposal for a regulation Annex III – Part I – point 23 i (new) 23i. Robot sensing and actuator components and robot controllers;
Amendment 527 #
Proposal for a regulation Annex III – Part I – point 23 k (new) 23k. 26. Smart home products, including smart home servers and virtual assistants;
Amendment 528 #
Proposal for a regulation Annex III – Part I – point 23 l (new) 23l. Smart security devices, including smart door locks, cameras and alarm systems;
Amendment 529 #
Proposal for a regulation Annex III – Part I – point 23 m (new) 23m. Smart toys and similar devices likely to interact with children;
Amendment 530 #
Proposal for a regulation Annex III – Part I – point 23 n (new) 23n. Personal health appliances and wearables.
Amendment 531 #
Proposal for a regulation Annex III – Part II Amendment 532 #
Proposal for a regulation Annex III – Part II – point 1 Amendment 533 #
Proposal for a regulation Annex III – Part II – point 4 4. Firewalls, Security Gateways, intrusion detection and/or prevention systems intended for industrial use;
Amendment 534 #
Proposal for a regulation Annex III – Part II – point 4 4. Firewalls, security gateways, intrusion detection and/or prevention systems intended for industrial use;
Amendment 535 #
Proposal for a regulation Annex III – Part II – point 5 Amendment 536 #
Proposal for a regulation Annex III – Part II – point 6 Amendment 537 #
Proposal for a regulation Annex III – Part II – point 7 7. Routers, modems intended for the connection to the internet,
Amendment 538 #
Proposal for a regulation Annex III – Part II – point 7 7. Routers, modems intended for the connection to the internet,
Amendment 539 #
Proposal for a regulation Annex III – Part II – point 11 11. Smartcards, smartcard readers, biometric readers, and tokens;
Amendment 540 #
15a. Smart home products, including smart home servers and virtual assistants;
Amendment 541 #
Proposal for a regulation Annex III – Part II – point 15 b (new) 15b. Smart security devices, including smart door locks, cameras and alarm systems;
Amendment 542 #
Proposal for a regulation Annex III – Part II – point 15 c (new) 15c. Smart toys and similar devices likely to interact with children;
Amendment 543 #
Proposal for a regulation Annex III – Part II – point 15 d (new) 15d. Personal health appliances and wearables.
Amendment 544 #
Proposal for a regulation Annex V – paragraph 1 – point 2 – point a Amendment 545 #
Proposal for a regulation Annex V – paragraph 1 – point 2 – point b (b) complete information and specifications of the vulnerability handling processes put in place by the manufacturer
Amendment 546 #
Proposal for a regulation Annex V – paragraph 1 – point 3 3. a
source: 746.920
|
History
(these mark the time of scraping, not the official date of the change)
committees/0 |
|
committees/0 |
|
committees/1 |
|
committees/1 |
|
committees/2/associated |
Old
New
True |
docs/0 |
|
docs/0 |
|
docs/0/body |
Old
EPNew
European Parliament |
docs/1 |
|
docs/1 |
|
docs/2 |
|
docs/2 |
|
docs/2/body |
Old
EPNew
European Parliament |
docs/3 |
|
docs/3 |
|
docs/3/body |
Old
EPNew
European Parliament |
docs/4 |
|
docs/4 |
|
docs/4/body |
Old
EPNew
European Parliament |
docs/5 |
|
docs/5 |
|
docs/5/body |
Old
EPNew
European Parliament |
docs/6 |
|
docs/6 |
|
docs/6/body |
Old
CSLNew
Council of the EU |
docs/7 |
|
docs/7 |
|
docs/7/body |
Old
CSLNew
Council of the EU |
docs/8 |
|
docs/8 |
|
docs/9 |
|
docs/9 |
|
docs/10 |
|
docs/10 |
|
docs/11 |
|
docs/11 |
|
docs/11/body |
Old
ECNew
European Commission |
docs/12 |
|
docs/12 |
|
docs/12/body |
Old
ECNew
European Commission |
docs/13 |
Old
New
|
docs/14 |
Old
New
|
docs/15 |
Old
New
|
docs/16 |
Old
New
|
docs/17 |
|
docs/18 |
|
events/0 |
|
events/0 |
|
events/5/summary/22 |
Committee report tabled for plenary, 1st reading/single reading
|
events/8/docs/1 |
|
events/9/docs/0/title |
Old
Debate in ParliamentNew
Go to the page |
events/10 |
|
events/10 |
|
events/10/summary/24 |
Text adopted by Parliament, 1st reading/single reading
|
events/11 |
|
events/11 |
|
events/11/docs/0/url |
Old
https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=60344&l=enNew
https://oeil.secure.europarl.europa.eu/oeil/en/sda-vote-result?sdaId=60344 |
events/14 |
|
procedure/Legislative priorities/0 |
|
procedure/Legislative priorities/0 |
|
procedure/Legislative priorities/0/url |
Old
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41360&l=enNew
https://oeil.secure.europarl.europa.eu/legislative-priorities/thematic-note?id=41360 |
procedure/Legislative priorities/1 |
|
procedure/Legislative priorities/1 |
|
procedure/Legislative priorities/1/url |
Old
https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41380&l=enNew
https://oeil.secure.europarl.europa.eu/legislative-priorities/thematic-note?id=41380 |
procedure/dossier_of_the_committee |
Old
New
ITRE/9/10122 |
procedure/final |
|
procedure/instrument/1 |
Amending Regulation 2019/1020
|
procedure/instrument/1 |
Amending Regulation 2019/1020 2017/0353(COD)
|
procedure/instrument/2 |
2017/0353(COD)
|
procedure/stage_reached |
Old
Procedure completed, awaiting publication in Official JournalNew
Procedure completed |
docs/12/docs/0/title |
Old
00100/2023/LEXNew
00100/2024/LEX |
docs/12/docs/0/title |
Old
00100/2024/LEXNew
00100/2023/LEX |
docs/12/docs/0/title |
Old
00100/2023/LEXNew
00100/2024/LEX |
docs/12/docs/0/title |
Old
00100/2024/LEXNew
00100/2023/LEX |
docs/12/docs/0/title |
Old
00100/2023/LEXNew
00100/2024/LEX |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
events/13 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Procedure completed, awaiting publication in Official Journal |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
events/13 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Procedure completed, awaiting publication in Official Journal |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
events/13 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Procedure completed, awaiting publication in Official Journal |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
events/13 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Procedure completed, awaiting publication in Official Journal |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
events/13 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Procedure completed, awaiting publication in Official Journal |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
events/13 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Procedure completed, awaiting publication in Official Journal |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
docs/12 |
|
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
https://data.europarl.europa.eu/distribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/11/docs/0/url |
Old
/oeil/spdoc.do?i=60344&j=0&l=enNew
nulldistribution/doc/SP-2024-350-TA-9-2024-0130_en.docx |
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
events/12 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&ojDate=29110202 |
docs/11 |
|
docs/3 |
|
docs/3 |
|
docs/11 |
|
docs/3 |
|
docs/3 |
|
docs/11 |
|
docs/3 |
|
docs/3 |
|
docs/11 |
|
docs/3 |
|
docs/3 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
docs/11 |
|
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/legal_basis/0 |
Rules of Procedure EP 57_o
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/legal_basis/0 |
Rules of Procedure EP 57_o
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/legal_basis/0 |
Rules of Procedure EP 57_o
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/legal_basis/0 |
Rules of Procedure EP 57_o
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/legal_basis/0 |
Rules of Procedure EP 57_o
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
procedure/Other legal basis |
Old
Rules of Procedure EP 159New
Rules of Procedure EP 165 |
procedure/legal_basis/0 |
Rules of Procedure EP 57_o
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
events/10 |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/10/summary |
|
docs/11 |
|
events/9 |
|
events/10 |
|
forecasts |
|
procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
events/9 |
|
forecasts |
|
events/9 |
|
forecasts/0 |
|
forecasts/0 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
forecasts/0/title |
Old
Indicative plenary sitting dateNew
Debate in plenary scheduled |
forecasts/1 |
|
docs/10 |
|
events/8/docs |
|
forecasts/0/date |
Old
2024-04-10T00:00:00New
2024-03-11T00:00:00 |
forecasts/0/date |
Old
2024-03-11T00:00:00New
2024-04-10T00:00:00 |
forecasts/0/date |
Old
2024-04-10T00:00:00New
2024-03-11T00:00:00 |
events/8 |
|
docs/9 |
|
forecasts/0/date |
Old
2024-03-11T00:00:00New
2024-04-10T00:00:00 |
forecasts |
|
docs/3/docs/0/url |
Old
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2022:452:TOCNew
https://eur-lex.europa.eu/oj/daily-view/L-series/EN/TXT/?uri=OJ:C:2022:452:TOC |
docs/9/date |
Old
2023-05-22T00:00:00New
2023-05-23T00:00:00 |
docs/10/date |
Old
2022-12-20T00:00:00New
2022-12-21T00:00:00 |
docs/11/date |
Old
2022-11-13T00:00:00New
2022-11-14T00:00:00 |
docs/12/date |
Old
2022-12-18T00:00:00New
2022-12-19T00:00:00 |
events/7 |
|
events/6 |
|
docs/10 |
|
docs/9 |
|
events/5/summary |
|
docs/9 |
|
events/5/docs |
|
events/5 |
|
procedure/stage_reached |
Old
Awaiting committee decisionNew
Awaiting Parliament's position in 1st reading |
events/3 |
|
events/4 |
|
procedure/Other legal basis |
Rules of Procedure EP 159
|
docs/8 |
|
docs/8 |
|
docs/7 |
|
docs/6 |
|
committees/2/opinion |
False
|
events/2 |
|
procedure/legal_basis/0 |
Rules of Procedure EP 57
|
docs/5 |
|
procedure/Legislative priorities/0/title |
Old
Joint Declaration on EU legislative priorities for 2023 and 2024New
Joint Declaration 2023-24 |
procedure/Legislative priorities/0 |
|
committees/0/shadows/3 |
|
docs/4 |
|
committees/0/shadows/4 |
|
committees/1 |
Old
New
|
committees/2 |
Old
New
|
docs/4 |
|
docs/4 |
|
docs/0 |
|
events/0 |
|
committees/1/rapporteur |
|
docs/0 |
|
events/0 |
|
committees/0 |
|
committees/0 |
|
docs/3 |
|
docs/3 |
|
docs/3 |
|
events/1 |
|
procedure/dossier_of_the_committee |
|
procedure/stage_reached |
Old
Preparatory phase in ParliamentNew
Awaiting committee decision |
commission |
|
committees/0/shadows/2 |
|
procedure/Legislative priorities |
|
procedure/title |
Old
Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)New
Cyber Resilience Act |
committees/0/rapporteur |
|
committees/0/shadows/0 |
|
committees/0/shadows |
|
docs/0/docs/0 |
|
docs/0 |
|
events/0/summary |
|